System Owner or User Discovery

Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Sigma rule (View on GitHub)

 1title: System Owner or User Discovery
 2id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3
 3status: test
 4description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
 7author: Timur Zinniatullin, oscd.community
 8date: 2019/10/21
 9modified: 2021/11/27
10tags:
11    - attack.discovery
12    - attack.t1033
13logsource:
14    product: linux
15    service: auditd
16detection:
17    selection:
18        type: 'EXECVE'
19        a0:
20            - 'users'
21            - 'w'
22            - 'who'
23    condition: selection
24falsepositives:
25    - Admin activity
26level: low

References

Related rules

to-top