User Added To Root/Sudoers Group Using Usermod

 1title: User Added To Root/Sudoers Group Using Usermod
 2id: 6a50f16c-3b7b-42d1-b081-0fdd3ba70a73
 3status: test
 4description: Detects usage of the "usermod" binary to add users add users to the root or suoders groups
 5references:
 6    - https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/
 7    - https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/
 8author: TuanLe (GTSC)
 9date: 2022/12/21
10tags:
11    - attack.privilege_escalation
12    - attack.persistence
13logsource:
14    product: linux
15    category: process_creation
16detection:
17    selection:
18        Image|endswith: '/usermod'
19        CommandLine|contains:
20            - '-aG root'
21            - '-aG sudoers'
22    condition: selection
23falsepositives:
24    - Legitimate administrator activities
25level: medium

References

• Hunting for Persistence in Linux (Part 2): Account Creation and Manipulation

  

  How attackers use newly created and existing accounts for peristence and how to detect them.

  
  Read More

• Add User To Root Group In Ubuntu Linux

  

  What happens if you add a normal user to the root group? We can add regular users to the root Linux group using the usermod command.

  
  Read More

Related rules

• Abuse of Service Permissions to Hide Services Via Set-Service
• Abuse of Service Permissions to Hide Services Via Set-Service - PS
• Account Tampering - Suspicious Failed Logon Reasons
• Application AppID Uri Configuration Changes
• Application URI Configuration Changes