---
title: New Linux user added
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > New Linux user added
---

# New Linux user added
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1136-create-account](https://attack.mitre.org/techniques/T1136) 
## Goal{% #goal %}

Detect when a new local user account is created on a Linux host. Attackers create accounts to establish persistence after gaining initial access.

## Strategy{% #strategy %}

This rule fires on either of two evidence types:

- **Process execution**: Process Activity Launch events (`ocsf.class_uid:1007 @ocsf.activity_id:1`) where the process name is `useradd` or `adduser`.
- **Account change event**: Account Change Create events (`ocsf.class_uid:3001 @ocsf.activity_id:1`) where the event is scoped to a Linux host via `ocsf.device.os.type:Linux`. This catches accounts created through NSS or daemons that bypass `useradd`/`adduser`. On auditd this corresponds to the `ADD_USER` record. The OS filter prevents the rule from firing on Windows AD, cloud IAM, or other non-Linux account change events.

Cases are evaluated in order, so a normal `useradd` run on auditd (which emits both an EXECVE and an ADD_USER) fires once on the Process execution case.

## Triage and response{% #triage-and-response %}

1. Determine whether the account creation was authorized — check change management records and verify with the system owner on `{{host}}`.
1. Identify who ran the command using `{{@ocsf.actor.user.name}}` and `{{@ocsf.actor.session.terminal}}`.
1. Review the new account's group memberships and sudo permissions (`/etc/sudoers`, `/etc/group`).
1. If unauthorized, lock or delete the account (`usermod -L` or `userdel`) and investigate how the attacker obtained the privileges to create it.