-
Author: Elastic
-
Description: This hunt identifies user and group creation or modification activities on Linux systems using OSQuery. It monitors changes to the shadow file, user and group information, and user processes. These activities can indicate potential unauthorized access or privilege escalation attempts. The hunt lists detailed information for further analysis and investigation.
-
UUID:
f00c9757-d21b-432c-90a6-8372f18075d0 -
Integration: endpoint
-
Language:
[SQL] -
Source File: Privilege Escalation/Persistence via User/Group Creation and/or Modification
SELECT * FROM shadowSELECT * FROM shadow
WHERE password_status != "locked"SELECT username, gid, uid, shell, description FROM users
WHERE username != 'root' AND uid LIKE "0"SELECT * FROM users WHERE username = "newuser"SELECT * FROM logged_in_users WHERE user = "newuser"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username- Monitors changes to the shadow file and user/group information using OSQuery to detect potentially unauthorized access or privilege escalation attempts.
- Lists detailed information about users, including authentication status and running processes.
- Requires additional data analysis and investigation into results to identify malicious or unauthorized user and group modifications.
Elastic License v2