heroui logo

Linux User Added to Privileged Group

Elastic Detection Rules

View Source
Summary
This rule identifies when a user is added to a privileged group in Linux environments. The addition of users to such groups can be a tactic used by attackers to either escalate privileges or gain persistent access to a compromised system. The rule is designed to detect the execution of commands associated with modifying user group memberships, specifically `usermod`, `adduser`, and `gpasswd`. It leverages data from various sources, including Elastic Defend and endpoints monitored by agent integrations, capturing specific process execution events. The condition checks for relevant command parameters related to user account management. Findings should be further analyzed for indicator validation, distinguishing between legitimate administrative actions and potential malicious activity. The included investigation and response guidelines ensure comprehensive assessment and remediation for detected incidents involving group modifications.
Categories
  • Linux
  • Endpoint
Data Sources
  • Process
  • Command
  • User Account
ATT&CK Techniques
  • T1136
  • T1136.001
Created: 2023-02-13