LoFP / legitimate administrator activities

Techniques

• t1531

Sample rules

User Has Been Deleted Via Userdel

• source: sigma
• technicques:
  • t1531

Description

Detects execution of the “userdel” binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks

Detection logic

condition: selection
selection:
  Image|endswith: /userdel

Group Has Been Deleted Via Groupdel

• source: sigma
• technicques:
  • t1531

Description

Detects execution of the “groupdel” binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks

Detection logic

condition: selection
selection:
  Image|endswith: /groupdel

User Added To Root/Sudoers Group Using Usermod

• source: sigma
• technicques:

Description

Detects usage of the “usermod” binary to add users add users to the root or suoders groups

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - -aG root
  - -aG sudoers
  Image|endswith: /usermod