SigmaHQ/rules/linux/unix_local_account.yml

title: Local System Accounts Discovery
id: 396fe688-65d9-4828-a078-ed17551f9a8a
status: experimental
description: Detects enumeration of local systeam accounts
author: Alejandro Ortuno, oscd.community
date: 2020/10/08
references:
  - https://attack.mitre.org/techniques/T1087/001/
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md
logsource:
  product: unix
detection:
  selection:
    CommandLine|contains:
      - 'cat /etc/passwd'
      - 'cat /etc/sudoers'
      - 'id '
      - "'x:0:'"
      - 'lsof -u'
  condition: selection
falsepositives:
  - Legitimate administration activities
level: low
tags:
  - attack.discovery
  - attack.t1087.001