Unusual Linux User Discovery Activity

Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/03"
 3integration = ["auditd_manager", "endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8anomaly_threshold = 75
 9author = ["Elastic"]
10description = """
11Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon
12troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or
13user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional
14discovery, credential dumping or privilege elevation activity.
15"""
16false_positives = [
17    """
18    Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual
19    troubleshooting or reconfiguration.
20    """,
21]
22from = "now-45m"
23interval = "15m"
24license = "Elastic License v2"
25machine_learning_job_id = ["v3_linux_system_user_discovery"]
26name = "Unusual Linux User Discovery Activity"
27risk_score = 21
28rule_id = "59756272-1998-4b8c-be14-e287035c4d10"
29severity = "low"
30tags = [
31    "Domain: Endpoint",
32    "OS: Linux",
33    "Use Case: Threat Detection",
34    "Rule Type: ML",
35    "Rule Type: Machine Learning",
36    "Tactic: Discovery",
37]
38type = "machine_learning"
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1033"
43name = "System Owner/User Discovery"
44reference = "https://attack.mitre.org/techniques/T1033/"
45
46
47[rule.threat.tactic]
48id = "TA0007"
49name = "Discovery"
50reference = "https://attack.mitre.org/tactics/TA0007/"

Related rules

to-top