System Owner or User Discovery - Linux
Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Sigma rule (View on GitHub)
1title: System Owner or User Discovery - Linux
2id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3
3status: test
4description: |
5 Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc.
6 Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
9author: Timur Zinniatullin, oscd.community
10date: 2019-10-21
11modified: 2024-11-30
12tags:
13 - attack.discovery
14 - attack.t1033
15logsource:
16 product: linux
17 service: auditd
18detection:
19 selection:
20 type: 'EXECVE'
21 a0:
22 - 'hostname'
23 - 'id'
24 - 'last'
25 - 'users'
26 - 'w'
27 - 'who'
28 - 'whoami'
29 condition: selection
30falsepositives:
31 - Admin activity
32level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- ESXi Network Configuration Discovery Via ESXCLI
- ESXi Storage Information Discovery Via ESXCLI
- ESXi System Information Discovery Via ESXCLI
- ESXi VM List Discovery Via ESXCLI
- ESXi VSAN Information Discovery Via ESXCLI