Terrance DeJesus
70411664cf
* normalizing hunting link generation * replacing header * adjusting quotes in f-strings * added source file to metadata * removed os dependency * address bug in source file links * reverting TOML loading * change all List type hinting to list * change all List type hinting to list * fixed accented characters in queries * reverted accent character removal; moved macos query and MD to macos folder
1.9 KiB
1.9 KiB
Privilege Escalation/Persistence via User/Group Creation and/or Modification
Metadata
-
Author: Elastic
-
Description: This hunt identifies user and group creation or modification activities on Linux systems using OSQuery. It monitors changes to the shadow file, user and group information, and user processes. These activities can indicate potential unauthorized access or privilege escalation attempts. The hunt lists detailed information for further analysis and investigation.
-
UUID:
f00c9757-d21b-432c-90a6-8372f18075d0 -
Integration: endpoint
-
Language:
[SQL] -
Source File: Privilege Escalation/Persistence via User/Group Creation and/or Modification
Query
SELECT * FROM shadow
SELECT * FROM shadow
WHERE password_status != "locked"
SELECT username, gid, uid, shell, description FROM users
WHERE username != 'root' AND uid LIKE "0"
SELECT * FROM users WHERE username = "newuser"
SELECT * FROM logged_in_users WHERE user = "newuser"
SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username
Notes
- Monitors changes to the shadow file and user/group information using OSQuery to detect potentially unauthorized access or privilege escalation attempts.
- Lists detailed information about users, including authentication status and running processes.
- Requires additional data analysis and investigation into results to identify malicious or unauthorized user and group modifications.
MITRE ATT&CK Techniques
License
Elastic License v2