Merge PR #5097 from @CheraghiMilad - Update ` System Owner or User Di…

…scovery - Linux` update: System Owner or User Discovery - Linux - Add 4 additional tools that can be used for host and user discovery: "whoami", "hostname", "id", "last" --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
SigmaHQ · Dec 1, 2024 · af41386 · af41386
1 parent 995dac1
commit af41386
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/rules/linux/auditd/lnx_auditd_user_discovery.yml b/rules/linux/auditd/lnx_auditd_user_discovery.yml
@@ -1,12 +1,14 @@
-title: System Owner or User Discovery
+title: System Owner or User Discovery - Linux
 id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3
 status: test
-description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+description: |
+    Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc.
+    Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
 author: Timur Zinniatullin, oscd.community
 date: 2019-10-21
-modified: 2021-11-27
+modified: 2024-11-30
 tags:
     - attack.discovery
     - attack.t1033
@@ -17,9 +19,13 @@ detection:
     selection:
         type: 'EXECVE'
         a0:
+            - 'hostname'
+            - 'id'
+            - 'last'
             - 'users'
             - 'w'
             - 'who'
+            - 'whoami'
     condition: selection
 falsepositives:
     - Admin activity