A user being added to the root or sudoers group via usermod indicates potential privilege escalation by an adversary seeking elevated access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify unauthorized elevation of privileges and mitigate lateral movement or persistence risks.
Detection Rule
title: User Added To Root/Sudoers Group Using Usermod
id: 6a50f16c-3b7b-42d1-b081-0fdd3ba70a73
status: test
description: Detects usage of the "usermod" binary to add users add users to the root or suoders groups
references:
- https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/
- https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/
author: TuanLe (GTSC)
date: 2022-12-21
tags:
- attack.privilege-escalation
- attack.persistence
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/usermod'
CommandLine|contains:
- '-aG root'
- '-aG sudoers'
condition: selection
falsepositives:
- Legitimate administrator activities
level: medium
imProcessCreate
| where TargetProcessName endswith "/usermod" and (TargetProcessCommandLine contains "-aG root" or TargetProcessCommandLine contains "-aG sudoers")Scenario: System Administrator Adds User to Sudoers via usermod for Access Control
Filter/Exclusion: Check if the user is a known admin or part of a privileged group (e.g., admin, wheel), or if the change was made via a documented administrative process (e.g., via sudo visudo or a configuration management tool like Ansible).
Scenario: Scheduled Job or Cron Task Requires Sudo Privileges
Filter/Exclusion: Filter events where the usermod command is executed in a cron context (e.g., /etc/cron.d/ or /etc/cron.hourly/) or by a service like systemd-tmpfiles or logrotate.
Scenario: User is Added to Sudoers Group via a Configuration Management Tool (e.g., Ansible, Puppet)
Filter/Exclusion: Exclude events where the usermod command is executed by a configuration management tool (e.g., ansible, puppet, or chef) or via a script in a known configuration directory (e.g., /etc/ansible/ or /etc/puppet/).
Scenario: User is Added to Sudoers Group for a Temporary Task (e.g., during a Debug Session)
Filter/Exclusion: Filter events where the user is a temporary user (e.g., tmp, nobody, or www-data) or where the change is made in a short-lived environment (e.g., a Docker container or a test VM).
Scenario: User is Added to Sudoers Group via a Script or Automation Tool (e.g., expect, expect)
Filter/Exclusion: Exclude events where the usermod command is executed by an automation tool (e.g., expect, bash, or python) or in