splApache-2.0from splunk/security_content
Linux Auditd Add User Account
The following analytic detects the creation of new user accounts on Linux systems using commands like "useradd" or "adduser." It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries often create new user accounts to establish persistence on compromised hosts. If confirmed malicious, this could allow attackers to maintain access, escalate privileges, and further compromise the system, posing a severe security risk.
Quality
51
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_add_user_account.yml
`linux_auditd` proctitle IN ("*useradd*", "*adduser*")
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY proctitle dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_add_user_account_filter`