Jonhnathan
24 lines
678 B
YAML
24 lines
678 B
YAML
title: Creation Of An User Account
|
|
id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512
|
|
status: experimental
|
|
description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
|
|
author: Marie Euler
|
|
date: 2020/05/18
|
|
references:
|
|
- 'MITRE Attack technique T1136; Create Account '
|
|
logsource:
|
|
product: linux
|
|
service: auditd
|
|
detection:
|
|
selection:
|
|
type: 'SYSCALL'
|
|
exe|endswith: '/useradd'
|
|
condition: selection
|
|
falsepositives:
|
|
- Admin activity
|
|
level: medium
|
|
tags:
|
|
- attack.t1136 # an old one
|
|
- attack.t1136.001
|
|
- attack.persistence
|