User Has Been Deleted Via Userdel
Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
Sigma rule (View on GitHub)
1title: User Has Been Deleted Via Userdel
2id: 08f26069-6f80-474b-8d1f-d971c6fedea0
3status: test
4description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
5references:
6 - https://linuxize.com/post/how-to-delete-group-in-linux/
7 - https://www.cyberciti.biz/faq/linux-remove-user-command/
8 - https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/
9 - https://linux.die.net/man/8/userdel
10author: Tuan Le (NCSGroup)
11date: 2022-12-26
12tags:
13 - attack.impact
14 - attack.t1531
15logsource:
16 product: linux
17 category: process_creation
18detection:
19 selection:
20 Image|endswith: '/userdel'
21 condition: selection
22falsepositives:
23 - Legitimate administrator activities
24level: medium
References
-
In Linux, groups are used to organize and administer user accounts. This article explains how to remove a group in Linux, using the groupdel command.
Read More -
Learn to defend Linux with commands used by attackers: cat, chmod, cp, curl, export, ftp, history, id, ifconfig, kill, mv, pwd.
Read More
Related rules
- AWS ElastiCache Security Group Modified or Deleted
- Azure Kubernetes Service Account Modified or Deleted
- Google Cloud Service Account Disabled or Deleted
- Group Has Been Deleted Via Groupdel
- Okta User Account Locked Out