The Group Has Been Deleted Via Groupdel detection rule identifies adversaries attempting to remove user groups to evade detection or persist within an environment by eliminating audit trails. SOC teams should proactively hunt for this behavior in Azure Sentinel to uncover potential lateral movement or privilege escalation tactics that may indicate a deeper compromise.
Detection Rule
title: Group Has Been Deleted Via Groupdel
id: 8a46f16c-8c4c-82d1-b121-0fdd3ba70a84
status: test
description: Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
references:
- https://linuxize.com/post/how-to-delete-group-in-linux/
- https://www.cyberciti.biz/faq/linux-remove-user-command/
- https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/
- https://linux.die.net/man/8/groupdel
author: Tuan Le (NCSGroup)
date: 2022-12-26
tags:
- attack.impact
- attack.t1531
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/groupdel'
condition: selection
falsepositives:
- Legitimate administrator activities
level: medium
imProcessCreate
| where TargetProcessName endswith "/groupdel"Scenario: Scheduled Group Deletion Job
Description: A system administrator has configured a cron job or Task Scheduler to periodically delete outdated groups as part of a cleanup process.
Filter/Exclusion: Check for command_line containing groupdel and filter out entries where the process is initiated by a scheduled task or cron job (e.g., */1 * * * * or SCHTASKS).
Scenario: User Account Cleanup via Groupdel
Description: An admin is manually cleaning up user accounts by deleting groups that are no longer needed.
Filter/Exclusion: Filter out events where the user is a privileged admin (e.g., uid=0 or sudo context) and the group deletion is part of a documented cleanup process.
Scenario: Groupdel Used in a Script for Automation
Description: A script or automation tool (e.g., Ansible, Puppet, or Chef) is used to manage group configurations and may trigger groupdel as part of its workflow.
Filter/Exclusion: Check for command_line containing script paths (e.g., /opt/ansible/ or /usr/bin/puppet) and exclude entries where the script is known to be part of an approved configuration management process.
Scenario: Group Deletion During System Upgrade
Description: During a system upgrade or OS migration, groups may be deleted as part of the upgrade process.
Filter/Exclusion: Filter out events where the process is initiated by an upgrade tool (e.g., apt, yum, dnf, or zypper) or during a known upgrade window.
Scenario: Groupdel Used in a Test Environment
Description: In a test or development environment, an admin may use groupdel to simulate or clean up group configurations.