User or Group Creation/Modification

 1[metadata]
 2creation_date = "2024/06/20"
 3integration = ["auditd_manager"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule leverages the `auditd_manager` integration to detect user or group creation or modification events on Linux
11systems. Threat actors may attempt to create or modify users or groups to establish persistence on the system.
12"""
13from = "now-9m"
14index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "User or Group Creation/Modification"
18references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
19risk_score = 21
20rule_id = "fcf733d5-7801-4eb0-92ac-8ffacf3658f2"
21setup = """## Setup
22
23This rule requires data coming in from Auditd Manager.
24
25### Auditd Manager Integration Setup
26The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
27Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
28
29#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System:
30- Go to the Kibana home page and click “Add integrations”.
31- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
32- Click “Add Auditd Manager”.
33- Configure the integration name and optionally add a description.
34- Review optional and advanced settings accordingly.
35- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
36- Click “Save and Continue”.
37- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
38
39#### Rule Specific Setup Note
40Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
41However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
42For this detection rule to trigger, the following additional audit rules are required to be added to the integration:

 1"""
 2severity = "low"
 3tags = [
 4    "Domain: Endpoint",
 5    "OS: Linux",
 6    "Use Case: Threat Detection",
 7    "Tactic: Persistence",
 8    "Data Source: Auditd Manager",
 9    "Resources: Investigation Guide",
10]
11timestamp_override = "event.ingested"
12type = "eql"
13
14query = '''
15iam where host.os.type == "linux" and event.type in ("creation", "change") and auditd.result == "success" and
16event.action in ("changed-password", "added-user-account", "added-group-account-to")
17'''
18note = """## Triage and analysis
19
20> **Disclaimer**:
21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
22
23### Investigating User or Group Creation/Modification
24
25In Linux environments, user and group management is crucial for access control and system administration. Adversaries may exploit this by creating or modifying accounts to maintain unauthorized access. The detection rule utilizes audit logs to monitor successful user or group changes, flagging potential persistence tactics by correlating specific actions with known threat behaviors.
26
27### Possible investigation steps
28
29- Review the audit logs to identify the specific user or group account that was created or modified, focusing on the event.action field values such as "changed-password", "added-user-account", or "added-group-account-to".
30- Check the timestamp of the event to determine when the account change occurred and correlate it with any other suspicious activities or alerts around the same time.
31- Investigate the source of the event by examining the host information, particularly the host.os.type field, to understand which system the changes were made on.
32- Identify the user or process that initiated the account change by reviewing the associated user information in the audit logs, which may provide insights into whether the action was authorized or potentially malicious.
33- Cross-reference the identified user or group changes with known threat actor behaviors or recent incidents to assess if the activity aligns with any known persistence tactics.
34
35### False positive analysis
36
37- Routine administrative tasks may trigger alerts when system administrators create or modify user or group accounts as part of regular maintenance. To manage this, consider creating exceptions for known administrative accounts or scheduled maintenance windows.
38- Automated scripts or configuration management tools that manage user accounts can generate false positives. Identify these tools and exclude their actions from triggering alerts by whitelisting their processes or user accounts.
39- System updates or software installations that require user or group modifications might be flagged. Review the context of these changes and exclude specific update processes or installation scripts from the rule.
40- Temporary user accounts created for short-term projects or testing purposes can be mistaken for unauthorized access attempts. Implement a naming convention for temporary accounts and exclude them from the rule to reduce noise.
41- Changes made by trusted third-party services or applications that integrate with the system may appear suspicious. Verify these services and add them to an exception list to prevent unnecessary alerts.
42
43### Response and remediation
44
45- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
46- Review the audit logs to identify the specific user or group accounts that were created or modified, and disable or remove any unauthorized accounts.
47- Reset passwords for any compromised or suspicious accounts to prevent further unauthorized access.
48- Conduct a thorough review of system and application logs to identify any additional unauthorized changes or suspicious activities that may have occurred.
49- Escalate the incident to the security operations team for further investigation and to determine if additional systems have been compromised.
50- Implement additional monitoring on the affected system and similar systems to detect any further unauthorized account activities.
51- Review and update access control policies and procedures to prevent similar incidents in the future, ensuring that only authorized personnel have the ability to create or modify user and group accounts."""
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1136"
58name = "Create Account"
59reference = "https://attack.mitre.org/techniques/T1136/"
60[[rule.threat.technique.subtechnique]]
61id = "T1136.001"
62name = "Local Account"
63reference = "https://attack.mitre.org/techniques/T1136/001/"
64
65
66
67[rule.threat.tactic]
68id = "TA0003"
69name = "Persistence"
70reference = "https://attack.mitre.org/tactics/TA0003/"