Local System Accounts Discovery - Linux
Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
Sigma rule (View on GitHub)
1title: Local System Accounts Discovery - Linux
2id: b45e3d6f-42c6-47d8-a478-df6bd6cf534c
3status: test
4description: Detects enumeration of local systeam accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
7 - https://my.f5.com/manage/s/article/K589
8 - https://man.freebsd.org/cgi/man.cgi?pwd_mkdb
9author: Alejandro Ortuno, oscd.community, CheraghiMilad
10date: 2020-10-08
11modified: 2024-12-10
12tags:
13 - attack.discovery
14 - attack.t1087.001
15logsource:
16 category: process_creation
17 product: linux
18detection:
19 selection_1:
20 Image|endswith: '/lastlog'
21 selection_2:
22 CommandLine|contains: '''x:0:'''
23 selection_3:
24 Image|endswith:
25 - '/cat'
26 - '/ed'
27 - '/head'
28 - '/more'
29 - '/nano'
30 - '/tail'
31 - '/vi'
32 - '/vim'
33 - '/less'
34 - '/emacs'
35 - '/sqlite3'
36 - '/makemap'
37 CommandLine|contains:
38 - '/etc/passwd'
39 - '/etc/shadow'
40 - '/etc/sudoers'
41 - '/etc/spwd.db'
42 - '/etc/pwd.db'
43 - '/etc/master.passwd'
44 selection_4:
45 Image|endswith: '/id'
46 selection_5:
47 Image|endswith: '/lsof'
48 CommandLine|contains: '-u'
49 condition: 1 of selection*
50falsepositives:
51 - Legitimate administration activities
52level: low
References
Related rules
- Malicious PowerShell Commandlets - ProcessCreation
- BloodHound Collection Files
- Cisco Collect Data
- HackTool - Bloodhound/Sharphound Execution
- Local Accounts Discovery