← Back to SOC feed Coverage →

Local System Accounts Discovery - Linux

sigma LOW SigmaHQ
T1087.001
imProcessCreate
backdoor
This detection content is auto-generated from open-source rule repositories and enriched with AI analysis. Always validate rules in a test environment before deploying to production Sentinel workspaces.
View original rule at SigmaHQ →
Retrieved: 2026-03-19T03:46:59Z · Confidence: medium

Hunt Hypothesis

Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

Detection Rule

Sigma (Original)

title: Local System Accounts Discovery - Linux
id: b45e3d6f-42c6-47d8-a478-df6bd6cf534c
status: test
description: Detects enumeration of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
    - https://my.f5.com/manage/s/article/K589
    - https://man.freebsd.org/cgi/man.cgi?pwd_mkdb
author: Alejandro Ortuno, oscd.community, CheraghiMilad
date: 2020-10-08
modified: 2024-12-10
tags:
    - attack.discovery
    - attack.t1087.001
logsource:
    category: process_creation
    product: linux
detection:
    selection_1:
        Image|endswith: '/lastlog'
    selection_2:
        CommandLine|contains: '''x:0:'''
    selection_3:
        Image|endswith:
            - '/cat'
            - '/ed'
            - '/head'
            - '/more'
            - '/nano'
            - '/tail'
            - '/vi'
            - '/vim'
            - '/less'
            - '/emacs'
            - '/sqlite3'
            - '/makemap'
        CommandLine|contains:
            - '/etc/passwd'
            - '/etc/shadow'
            - '/etc/sudoers'
            - '/etc/spwd.db'
            - '/etc/pwd.db'
            - '/etc/master.passwd'
    selection_4:
        Image|endswith: '/id'
    selection_5:
        Image|endswith: '/lsof'
        CommandLine|contains: '-u'
    condition: 1 of selection*
falsepositives:
    - Legitimate administration activities
level: low

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName endswith "/lastlog" or TargetProcessCommandLine contains "'x:0:'" or ((TargetProcessName endswith "/cat" or TargetProcessName endswith "/ed" or TargetProcessName endswith "/head" or TargetProcessName endswith "/more" or TargetProcessName endswith "/nano" or TargetProcessName endswith "/tail" or TargetProcessName endswith "/vi" or TargetProcessName endswith "/vim" or TargetProcessName endswith "/less" or TargetProcessName endswith "/emacs" or TargetProcessName endswith "/sqlite3" or TargetProcessName endswith "/makemap") and (TargetProcessCommandLine contains "/etc/passwd" or TargetProcessCommandLine contains "/etc/shadow" or TargetProcessCommandLine contains "/etc/sudoers" or TargetProcessCommandLine contains "/etc/spwd.db" or TargetProcessCommandLine contains "/etc/pwd.db" or TargetProcessCommandLine contains "/etc/master.passwd")) or TargetProcessName endswith "/id" or (TargetProcessName endswith "/lsof" and TargetProcessCommandLine contains "-u")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

Commands such a

Validation (Atomic Red Team)

Use these Atomic Red Team tests to validate this detection fires correctly:

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_local_account.yml