Techniques
Sample rules
User Has Been Deleted Via Userdel
- source: sigma
- technicques:
- t1531
Description
Detects execution of the “userdel” binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
Detection logic
condition: selection
selection:
Image|endswith: /userdel
User Added To Root/Sudoers Group Using Usermod
- source: sigma
- technicques:
Description
Detects usage of the “usermod” binary to add users add users to the root or suoders groups
Detection logic
condition: selection
selection:
CommandLine|contains:
- -aG root
- -aG sudoers
Image|endswith: /usermod
Group Has Been Deleted Via Groupdel
- source: sigma
- technicques:
- t1531
Description
Detects execution of the “groupdel” binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
Detection logic
condition: selection
selection:
Image|endswith: /groupdel