User Added To Root/Sudoers Group Using Usermod
Detects usage of the "usermod" binary to add users add users to the root or suoders groups
Sigma rule (View on GitHub)
1title: User Added To Root/Sudoers Group Using Usermod
2id: 6a50f16c-3b7b-42d1-b081-0fdd3ba70a73
3status: test
4description: Detects usage of the "usermod" binary to add users add users to the root or suoders groups
5references:
6 - https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/
7 - https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/
8author: TuanLe (GTSC)
9date: 2022-12-21
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13logsource:
14 product: linux
15 category: process_creation
16detection:
17 selection:
18 Image|endswith: '/usermod'
19 CommandLine|contains:
20 - '-aG root'
21 - '-aG sudoers'
22 condition: selection
23falsepositives:
24 - Legitimate administrator activities
25level: medium
References
-
How attackers use newly created and existing accounts for peristence and how to detect them.
Read More -
What happens if you add a normal user to the root group? We can add regular users to the root Linux group using the usermod command.
Read More
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Addition of SID History to Active Directory Object