Login via Unusual System User

This rule identifies successful logins by system users that are uncommon to authenticate. These users have nologin set by default, and must be modified to allow SSH access. Adversaries may backdoor these users to gain unauthorized access to the system.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2025/01/07"
  3integration = ["system"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule identifies successful logins by system users that are uncommon to authenticate. These users
 11have `nologin` set by default, and must be modified to allow SSH access. Adversaries may backdoor these users to
 12gain unauthorized access to the system.
 13"""
 14from = "now-9m"
 15index = ["filebeat-*", "logs-system.auth-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Login via Unusual System User"
 19references = [
 20    "https://blog.exatrack.com/Perfctl-using-portainer-and-new-persistences/",
 21    "https://x.com/RFGroenewoud/status/1875112050218922010",
 22]
 23risk_score = 47
 24rule_id = "428e9109-dc13-4ae9-84cb-100464d4c6fa"
 25setup = """## Setup
 26
 27This rule requires data coming in from Filebeat.
 28
 29### Filebeat Setup
 30Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.
 31
 32#### The following steps should be executed in order to add the Filebeat on a Linux System:
 33- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
 34- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).
 35- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).
 36- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).
 37- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).
 38- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).
 39
 40#### Rule Specific Setup Note
 41- This rule requires the “Filebeat System Module” to be enabled.
 42- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.
 43- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).
 44"""
 45severity = "medium"
 46tags = [
 47    "Domain: Endpoint",
 48    "OS: Linux",
 49    "Use Case: Threat Detection",
 50    "Tactic: Persistence",
 51    "Tactic: Defense Evasion",
 52    "Data Source: System",
 53    "Resources: Investigation Guide"
 54]
 55timestamp_override = "event.ingested"
 56type = "eql"
 57query = '''
 58authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and
 59user.name in (
 60  "deamon", "bin", "sys", "games", "man", "lp", "mail", "news", "uucp", "proxy", "www-data", "backup",
 61  "list", "irc", "gnats", "nobody", "systemd-timesync", "systemd-network", "systemd-resolve", "messagebus",
 62  "avahi", "sshd", "dnsmasq"
 63) and event.outcome == "success"
 64'''
 65note = """## Triage and analysis
 66
 67> **Disclaimer**:
 68> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 69
 70### Investigating Login via Unusual System User
 71
 72In Linux environments, system users typically have restricted login capabilities to prevent unauthorized access. These accounts, often set with `nologin`, are not meant for interactive sessions. Adversaries may exploit these accounts by altering their configurations to enable SSH access, thus bypassing standard security measures. The detection rule identifies successful logins by these uncommon system users, flagging potential unauthorized access attempts for further investigation.
 73
 74### Possible investigation steps
 75
 76- Review the login event details to identify the specific system user account involved in the successful login, focusing on the user.name field.
 77- Check the system logs for any recent changes to the user account's configuration, particularly modifications that might have enabled SSH access for accounts typically set with nologin.
 78- Investigate the source IP address associated with the login event to determine if it is known or suspicious, and assess whether it aligns with expected access patterns.
 79- Examine the timeline of events leading up to and following the login to identify any unusual activities or patterns that could indicate malicious behavior.
 80- Verify if there are any other successful login attempts from the same source IP or involving other system user accounts, which could suggest a broader compromise.
 81- Consult with system administrators to confirm whether any legitimate changes were made to the system user account's login capabilities and document any authorized modifications.
 82
 83### False positive analysis
 84
 85- System maintenance tasks may require temporary login access for system users. Verify if the login corresponds with scheduled maintenance and consider excluding these events during known maintenance windows.
 86- Automated scripts or services might use system accounts for legitimate purposes. Identify these scripts and whitelist their associated activities to prevent false alerts.
 87- Some system users might be configured for specific applications that require login capabilities. Review application requirements and exclude these users if their access is deemed necessary and secure.
 88- In environments with custom configurations, certain system users might be intentionally modified for operational needs. Document these changes and adjust the detection rule to exclude these known modifications.
 89- Regularly review and update the list of system users in the detection rule to ensure it reflects the current environment and operational requirements, minimizing unnecessary alerts.
 90
 91### Response and remediation
 92
 93- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
 94- Terminate any active sessions associated with the unusual system user accounts identified in the alert to disrupt ongoing unauthorized access.
 95- Review and revert any unauthorized changes to the system user accounts, such as modifications to the shell configuration that enabled login capabilities.
 96- Conduct a thorough audit of the system for any additional unauthorized changes or backdoors, focusing on SSH configurations and user account settings.
 97- Reset passwords and update authentication mechanisms for all system user accounts to prevent further exploitation.
 98- Implement additional monitoring and alerting for any future login attempts by system users, ensuring rapid detection and response to similar threats.
 99- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network."""
100
101[[rule.threat]]
102framework = "MITRE ATT&CK"
103
104[[rule.threat.technique]]
105id = "T1098"
106name = "Account Manipulation"
107reference = "https://attack.mitre.org/techniques/T1098/"
108
109[[rule.threat.technique.subtechnique]]
110id = "T1098.004"
111name = "SSH Authorized Keys"
112reference = "https://attack.mitre.org/techniques/T1098/004/"
113
114[rule.threat.tactic]
115id = "TA0003"
116name = "Persistence"
117reference = "https://attack.mitre.org/tactics/TA0003/"
118
119[[rule.threat]]
120framework = "MITRE ATT&CK"
121
122[rule.threat.tactic]
123name = "Defense Evasion"
124id = "TA0005"
125reference = "https://attack.mitre.org/tactics/TA0005/"
126
127[[rule.threat.technique]]
128id = "T1564"
129name = "Hide Artifacts"
130reference = "https://attack.mitre.org/techniques/T1564/"
131
132[[rule.threat.technique.subtechnique]]
133id = "T1564.002"
134name = "Hidden Users"
135reference = "https://attack.mitre.org/techniques/T1564/002/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Login via Unusual System User

In Linux environments, system users typically have restricted login capabilities to prevent unauthorized access. These accounts, often set with nologin, are not meant for interactive sessions. Adversaries may exploit these accounts by altering their configurations to enable SSH access, thus bypassing standard security measures. The detection rule identifies successful logins by these uncommon system users, flagging potential unauthorized access attempts for further investigation.

Possible investigation steps

  • Review the login event details to identify the specific system user account involved in the successful login, focusing on the user.name field.
  • Check the system logs for any recent changes to the user account's configuration, particularly modifications that might have enabled SSH access for accounts typically set with nologin.
  • Investigate the source IP address associated with the login event to determine if it is known or suspicious, and assess whether it aligns with expected access patterns.
  • Examine the timeline of events leading up to and following the login to identify any unusual activities or patterns that could indicate malicious behavior.
  • Verify if there are any other successful login attempts from the same source IP or involving other system user accounts, which could suggest a broader compromise.
  • Consult with system administrators to confirm whether any legitimate changes were made to the system user account's login capabilities and document any authorized modifications.

False positive analysis

  • System maintenance tasks may require temporary login access for system users. Verify if the login corresponds with scheduled maintenance and consider excluding these events during known maintenance windows.
  • Automated scripts or services might use system accounts for legitimate purposes. Identify these scripts and whitelist their associated activities to prevent false alerts.
  • Some system users might be configured for specific applications that require login capabilities. Review application requirements and exclude these users if their access is deemed necessary and secure.
  • In environments with custom configurations, certain system users might be intentionally modified for operational needs. Document these changes and adjust the detection rule to exclude these known modifications.
  • Regularly review and update the list of system users in the detection rule to ensure it reflects the current environment and operational requirements, minimizing unnecessary alerts.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
  • Terminate any active sessions associated with the unusual system user accounts identified in the alert to disrupt ongoing unauthorized access.
  • Review and revert any unauthorized changes to the system user accounts, such as modifications to the shell configuration that enabled login capabilities.
  • Conduct a thorough audit of the system for any additional unauthorized changes or backdoors, focusing on SSH configurations and user account settings.
  • Reset passwords and update authentication mechanisms for all system user accounts to prevent further exploitation.
  • Implement additional monitoring and alerting for any future login attempts by system users, ensuring rapid detection and response to similar threats.
  • Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.

References

Related rules

to-top