From 904716771a98e7c68d20e1b642073788309c17f2 Mon Sep 17 00:00:00 2001 From: gamma37 Date: Mon, 18 May 2020 10:03:34 +0200 Subject: [PATCH 1/2] Create a new rule to detect "Create Account" --- .../auditd/lnx_auditd_create_account.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_create_account.yml diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml new file mode 100644 index 000000000..c9a18eac8 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_create_account.yml @@ -0,0 +1,22 @@ +title: Creation Of An User Account +id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512 +status: experimental +description: Detects the creation of a new user account. According to MITRE ATT&CK, "such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system" +references: + - 'MITRE Attack technique T1136; Create Account ' +date: 2020/05/18 +tags: + - attack.T1136 + - attack.persistence +author: Marie Euler +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SYSCALL' + exe: '*/useradd' + condition: selection +falsepositives: + - Admin activity +level: medium From cbf06b1e43dc523885c3107fb35ffcc88c20e735 Mon Sep 17 00:00:00 2001 From: gamma37 Date: Mon, 18 May 2020 10:11:32 +0200 Subject: [PATCH 2/2] lowercased tag --- rules/linux/auditd/lnx_auditd_create_account.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml index c9a18eac8..14be30c03 100644 --- a/rules/linux/auditd/lnx_auditd_create_account.yml +++ b/rules/linux/auditd/lnx_auditd_create_account.yml @@ -6,7 +6,7 @@ references: - 'MITRE Attack technique T1136; Create Account ' date: 2020/05/18 tags: - - attack.T1136 + - attack.t1136 - attack.persistence author: Marie Euler logsource: