Local System Accounts Discovery - Linux
Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Sigma rule (View on GitHub)
1title: Local System Accounts Discovery - Linux
2id: b45e3d6f-42c6-47d8-a478-df6bd6cf534c
3status: test
4description: Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
7author: Alejandro Ortuno, oscd.community
8date: 2020/10/08
9modified: 2022/11/27
10tags:
11 - attack.discovery
12 - attack.t1087.001
13logsource:
14 category: process_creation
15 product: linux
16detection:
17 selection_1:
18 Image|endswith: '/lastlog'
19 selection_2:
20 CommandLine|contains: '''x:0:'''
21 selection_3:
22 Image|endswith:
23 - '/cat'
24 - '/head'
25 - '/tail'
26 - '/more'
27 CommandLine|contains:
28 - '/etc/passwd'
29 - '/etc/shadow'
30 - '/etc/sudoers'
31 selection_4:
32 Image|endswith: '/id'
33 selection_5:
34 Image|endswith: '/lsof'
35 CommandLine|contains: '-u'
36 condition: 1 of selection*
37falsepositives:
38 - Legitimate administration activities
39level: low
References
Related rules
- Local System Accounts Discovery - MacOs
- Local Groups Discovery - Linux
- Local Groups Discovery - MacOs
- Security Software Discovery - Linux
- Security Software Discovery - MacOs