A user account has been deleted using the userdel command, indicating potential post-compromise cleanup or account deletion by an adversary. SOC teams should proactively hunt for this behavior to identify and respond to lateral movement or persistent access attempts that may have been masked by account deletion.
Detection Rule
title: User Has Been Deleted Via Userdel
id: 08f26069-6f80-474b-8d1f-d971c6fedea0
status: test
description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
references:
- https://linuxize.com/post/how-to-delete-group-in-linux/
- https://www.cyberciti.biz/faq/linux-remove-user-command/
- https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/
- https://linux.die.net/man/8/userdel
author: Tuan Le (NCSGroup)
date: 2022-12-26
tags:
- attack.impact
- attack.t1531
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/userdel'
condition: selection
falsepositives:
- Legitimate administrator activities
level: medium
imProcessCreate
| where TargetProcessName endswith "/userdel"Scenario: A system administrator manually deletes a user account using the userdel command as part of routine user management.
Filter/Exclusion: Check the command line arguments to exclude userdel with the -r flag (which removes the user’s home directory) or filter by the user being a non-production account (e.g., testuser or backup).
Scenario: A scheduled job or automation script runs a cleanup task that deletes old user accounts, such as during a system maintenance window.
Filter/Exclusion: Filter by the process owner (e.g., root or a specific service account) and check for the presence of a known cleanup script or job name in the command line.
Scenario: A user account is deleted via the GUI (e.g., using system-config-users on Red Hat systems) as part of a user deprovisioning process.
Filter/Exclusion: Monitor for the presence of GUI tools or check for related log entries in /var/log/secure or /var/log/auth.log that indicate GUI-based user deletion.
Scenario: A third-party tool or service (e.g., pam_userdel, userdel-ldap, or deluser) is used to delete a user account during an LDAP synchronization or directory cleanup.
Filter/Exclusion: Filter by the specific tool name in the command line or check for associated LDAP or directory synchronization logs.
Scenario: A user account is deleted as part of a bulk user deprovisioning process using a script or tool like deluser or userdel in a batch job.
Filter/Exclusion: Include a filter for the presence of a known batch job name or script path in the command line, or check for the presence of a specific user list or group in the command arguments.