For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-fk1.md. A documentation index is available at /llms.txt.

New Linux user added

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1136-create-account

Goal

Detect when a new local user account is created on a Linux host. Attackers create accounts to establish persistence after gaining initial access.

Strategy

This rule fires on either of two evidence types:

  • Process execution: Process Activity Launch events (ocsf.class_uid:1007 @ocsf.activity_id:1) where the process name is useradd or adduser.
  • Account change event: Account Change Create events (ocsf.class_uid:3001 @ocsf.activity_id:1) where the event is scoped to a Linux host via ocsf.device.os.type:Linux. This catches accounts created through NSS or daemons that bypass useradd/adduser. On auditd this corresponds to the ADD_USER record. The OS filter prevents the rule from firing on Windows AD, cloud IAM, or other non-Linux account change events.

Cases are evaluated in order, so a normal useradd run on auditd (which emits both an EXECVE and an ADD_USER) fires once on the Process execution case.

Triage and response

  1. Determine whether the account creation was authorized — check change management records and verify with the system owner on {{host}}.
  2. Identify who ran the command using {{@ocsf.actor.user.name}} and {{@ocsf.actor.session.terminal}}.
  3. Review the new account’s group memberships and sudo permissions (/etc/sudoers, /etc/group).
  4. If unauthorized, lock or delete the account (usermod -L or userdel) and investigate how the attacker obtained the privileges to create it.