IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Linux User Added to Privileged Group
editLinux User Added to Privileged Group
editIdentifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
- endgame-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Persistence
- Data Source: Elastic Endgame
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editprocess where host.os.type == "linux" and event.type == "start" and process.parent.name == "sudo" and process.args in ("root", "admin", "wheel", "staff", "sudo", "disk", "video", "shadow", "lxc", "lxd") and ( process.name in ("usermod", "adduser") or process.name == "gpasswd" and process.args in ("-a", "--add", "-M", "--members") )
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Create Account
- ID: T1136
- Reference URL: https://attack.mitre.org/techniques/T1136/
-
Sub-technique:
- Name: Local Account
- ID: T1136.001
- Reference URL: https://attack.mitre.org/techniques/T1136/001/