From af4138653544b5688e5d00cde3ebf349fd01d205 Mon Sep 17 00:00:00 2001
From: Milad Cheraghi <82805580+CheraghiMilad@users.noreply.github.com>
Date: Sun, 1 Dec 2024 16:21:14 +0330
Subject: [PATCH] Merge PR #5097 from @CheraghiMilad - Update ` System Owner or
 User Discovery - Linux`

update: System Owner or User Discovery - Linux - Add 4 additional tools that can be used for host and user discovery: "whoami", "hostname", "id", "last"

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
---
 rules/linux/auditd/lnx_auditd_user_discovery.yml | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/rules/linux/auditd/lnx_auditd_user_discovery.yml b/rules/linux/auditd/lnx_auditd_user_discovery.yml
index 0bfbbf39799..90ff5695e41 100644
--- a/rules/linux/auditd/lnx_auditd_user_discovery.yml
+++ b/rules/linux/auditd/lnx_auditd_user_discovery.yml
@@ -1,12 +1,14 @@
-title: System Owner or User Discovery
+title: System Owner or User Discovery - Linux
 id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3
 status: test
-description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+description: |
+    Detects the execution of host or user discovery utilities such as "whoami", "hostname", "id", etc.
+    Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
 author: Timur Zinniatullin, oscd.community
 date: 2019-10-21
-modified: 2021-11-27
+modified: 2024-11-30
 tags:
     - attack.discovery
     - attack.t1033
@@ -17,9 +19,13 @@ detection:
     selection:
         type: 'EXECVE'
         a0:
+            - 'hostname'
+            - 'id'
+            - 'last'
             - 'users'
             - 'w'
             - 'who'
+            - 'whoami'
     condition: selection
 falsepositives:
     - Admin activity