This note documents detection patterns related to New User Creation on Linux systems.

Direct Indicators

Source	Grep Pattern / Artifact	Meaning	Forensic Value	Notes
`/etc/passwd`	New account entry	Local user account created	Critical	Primary account creation artifact.
`/etc/shadow`	New password hash entry	Password-bearing user added	Critical	Confirms credential-backed account presence.
`/etc/group`	User added to privileged group	User granted functional access	Critical	Check `sudo`, `wheel`, `adm`, `docker`, `lxd`.
`auth.log` / `secure`	`useradd`	Account creation utility executed	Critical	Strong evidence of explicit user creation.
`auth.log` / `secure`	`new user`	Account creation log message	Critical	Common syslog wording on some distros.
`auth.log` / `secure`	`groupadd`	Group creation or manipulation	High	Often adjacent to user provisioning.
`auth.log` / `secure`	`usermod`	Existing account modified	Critical	Used to add attacker to privileged groups.
`auth.log` / `secure`	`adduser`	Debian-style account creation command	Critical	Equivalent to `useradd` in many cases.
`sudo` logs in `auth.log` / `secure`	`COMMAND=/usr/sbin/useradd`	Account creation via sudo	Critical	High-confidence operator action.
`sudo` logs in `auth.log` / `secure`	`COMMAND=/usr/sbin/adduser`	Account creation via sudo	Critical	High-confidence operator action.
`sudo` logs in `auth.log` / `secure`	`COMMAND=/usr/sbin/usermod`	Privilege modification via sudo	Critical	Often more important than pure account creation.
`journalctl`	`useradd`, `adduser`, `usermod`	Journald record of account operations	Critical	Essential on journal-centric systems.
`/home/`	New home directory	Newly provisioned local user workspace	High	Directory creation often accompanies local user creation.
`/var/spool/cron/`	New per-user cron file	Newly created user already used for persistence	High	Strong sign of attacker operationalization.
`/etc/sudoers` or `/etc/sudoers.d/`	New sudo rule	User granted privilege escalation path	Critical	May be quieter than group membership changes.
Shell history	`useradd`, `adduser`, `usermod`, `passwd`	Interactive account creation commands	Critical	Very high value if preserved.
`auditd` logs	`execve` of `useradd`, `adduser`, `usermod`	Process-level account management evidence	Critical	Best source when enabled.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
Unknown account appears between known baseline users	Compare current `/etc/passwd` against expected host role	Critical	Most useful when hostname purpose is known.
Service or pseudo-user with interactive shell	Shell set to `/bin/bash`, `/bin/sh`, `/bin/zsh`	Critical	Fake service users often expose attacker mistakes.
New user with UID >= 1000 on server	Human-style local account on server that should not have one	High	Especially suspicious on appliances, web servers, DC-like infra, containers.
New account added shortly after SSH compromise	Timeline correlation between login and local user addition	Critical	Very common post-compromise action.
New account immediately added to `sudo` or `wheel`	Privilege-ready persistence	Critical	Strong evidence of hostile persistence.
New `.ssh/authorized_keys` under fresh home directory	Key-based persistence for new local account	Critical	Often used instead of password logins.
Passwordless sudo granted to new account	`NOPASSWD` rule present	Critical	Extremely strong persistence indicator.
Home directory ownership mismatch	Files owned by unusual UID/GID	Medium	Can reveal renamed or partially deleted account.
New account with misleading name	`backup`, `sysadmin`, `service`, `support`, `oracle`, `nginxadm`	High	Common camouflage pattern.
Fresh account with no legitimate provisioning evidence	No ticket/change record, no CM/Ansible trail	High	Operational context strengthens case.

Common Tools

Tool	Usage
`useradd`	Native low-level user creation utility.
`adduser`	Higher-level interactive user creation wrapper on Debian-like systems.
`usermod`	Modifies existing accounts, often used to add attacker to privileged groups.
`passwd`	Sets or changes password for newly created or hijacked account.
`chsh`	Changes login shell, sometimes to make pseudo-users interactive.
`chage`	Alters password aging and expiry to stabilize persistence.
`vipw` / direct file editing	Manual modification of `/etc/passwd` and `/etc/shadow`.
`visudo`	Used to add sudo privileges directly.
`echo >> /etc/passwd`	Crude direct account insertion seen in low-skill intrusion or malware scripts.
Configuration management tooling	Ansible, cloud-init, bash bootstrap, user-data scripts may legitimately create users and must be ruled out.

Relevant Artifacts

Artifact	Path / Command	Forensic Value	Notes
Local user database	`/etc/passwd`	Critical	Primary source for local accounts, shell, UID, home path.
Password database	`/etc/shadow`	Critical	Indicates password-backed access and hash presence.
Group memberships	`/etc/group`	Critical	Review `sudo`, `wheel`, `docker`, `adm`, `lxd`.
Account defaults	`/etc/default/useradd`	Medium	Helps interpret default home/shell behavior.
Sudo configuration	`/etc/sudoers`, `/etc/sudoers.d/`	Critical	Check for grants to new accounts.
SSH persistence	`/home/*/.ssh/authorized_keys`, `/root/.ssh/authorized_keys`	Critical	New account often paired with SSH key persistence.
Home directory creation	`/home/<user>/`	High	Inspect timestamps, shell history, tool staging.
Shell history	`/home/<user>/.bash_history`, `.zsh_history`, `/root/.bash_history`	Critical	Account creation and immediate follow-on actions.
Authentication logs	`/var/log/auth.log`, `/var/log/secure`	Critical	Main host-based log source for sudo/account changes.
Journald	`journalctl`	Critical	May preserve account activity absent flat logs.
Last login data	`lastlog`, `last`, `/var/log/wtmp`, `/var/log/btmp`	High	Shows whether new account was used.
Audit logs	`/var/log/audit/audit.log`	Critical	Best process accountability if present.
Cron files	`/var/spool/cron/`, `/etc/cron*`	High	New user may have immediate scheduled persistence.
Temporary directories	`/tmp`, `/var/tmp`, `/dev/shm`	Medium	Scripts that created the user may still exist.
Package / orchestration logs	cloud-init logs, Ansible logs, CI/CD logs	High	Needed to eliminate legitimate provisioning.

MITRE ATT&CK References

T1136 Create Account
T1136.001 Local Account
T1098 Account Manipulation
T1098.004 SSH Authorized Keys
T1548 Abuse Elevation Control Mechanism

Decision Tree

Is a suspicious local account present?
- Inspect /etc/passwd, /etc/shadow, /etc/group.
- Determine username, UID, shell, home directory, group membership.
Is the account actually new or merely newly noticed?
- Compare against host baseline, golden image, deployment scripts, backup copies, config management, or previous snapshots.
- Check file timestamps on /etc/passwd, /etc/shadow, /etc/group.
How was the account created?
- Search auth.log / secure / journalctl for useradd, adduser, usermod, passwd, sudo.
- Search shell history for account management commands.
- Review auditd for execve if available.
Was privilege granted?
- Inspect membership in sudo, wheel, docker, lxd, adm.
- Inspect /etc/sudoers and /etc/sudoers.d/.
- Determine whether shell is interactive and whether account can escalate.
Was the account used?
- Review last, lastlog, SSH login logs, authorized_keys, bash history.
- Check whether the account established persistence, downloaded payloads, or opened network connections.
Pivot
- Source logon event → identify actor/session that created the account.
- New home directory → inspect commands, keys, tools, payloads.
- Group changes → determine escalation objective.
- Related SSH artifacts → determine remote persistence plan.
Confirm maliciousness
- Unknown account + no legitimate provisioning trail + privileged group membership + SSH key or sudo access = strong malicious persistence finding.

Example Detection Templates

Grep

grep -Ei "useradd|adduser|usermod|groupadd|passwd|new user" /var/log/auth.log /var/log/secure 2>/dev/null

grep -Ei "COMMAND=/usr/sbin/(useradd|adduser|usermod)|COMMAND=/usr/bin/passwd" /var/log/auth.log /var/log/secure 2>/dev/null

grep -E '^(sudo|wheel|adm|docker|lxd):' /etc/group

awk -F: '($3 >= 1000 || $3 == 0) {print $1,$3,$6,$7}' /etc/passwd

find /home -maxdepth 1 -mindepth 1 -type d -printf '%TY-%Tm-%Td %TT %u %g %p\n' 2>/dev/null | sort

Journalctl

journalctl | grep -Ei "useradd|adduser|usermod|groupadd|passwd|sudo"

journalctl _COMM=sudo | grep -Ei "useradd|adduser|usermod|passwd"

Auditd

ausearch -m EXECVE -i | grep -Ei "useradd|adduser|usermod|passwd"

ausearch -m USER_CHAUTHTOK,ADD_USER,DEL_USER,ADD_GROUP,DEL_GROUP -i

Sigma

title: Linux Local User Creation or Account Privilege Manipulation
id: linux-local-user-creation-or-modification
status: experimental
description: Detects account creation or modification activity on Linux systems that may indicate attacker persistence
logsource:
  product: linux
  service: auth
detection:
  selection_keywords:
    message|contains:
      - 'useradd'
      - 'adduser'
      - 'usermod'
      - 'new user'
      - 'groupadd'
  condition: selection_keywords
fields:
  - message
  - hostname
  - process
  - user
falsepositives:
  - Legitimate administrator provisioning
  - Configuration management
  - Cloud-init or image bootstrap processes
level: high
tags:
  - attack.persistence
  - attack.t1136
  - attack.t1136.001
  - attack.t1098

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
Account governance	Maintain strict local account baseline per host role	Critical	Unknown local users should be immediately obvious.
Privileged access	Restrict sudo rights to tightly managed groups	Critical	Reduces usefulness of newly created accounts.
SSH hardening	Disable password auth where possible and enforce key hygiene	High	Limits attacker value from quick local user creation.
Centralized identity	Prefer centralized auth over unmanaged local accounts	High	Shrinks local persistence surface.
Monitoring	Alert on `useradd`, `adduser`, `usermod`, `passwd`, sudoers changes	Critical	High-fidelity administrative abuse detection.
File integrity monitoring	Watch `/etc/passwd`, `/etc/shadow`, `/etc/group`, `/etc/sudoers*`	Critical	Excellent invariant detection surface.
Auditd	Enable process auditing for user and privilege management commands	High	Gives process-level truth often missing from flat logs.
Change control	Tie account creation to ticketing / automation / CM evidence	High	Speeds false-positive elimination.
SSH key review	Monitor `authorized_keys` creation for new accounts	High	Attackers frequently pair account creation with key persistence.
Periodic review	Regularly enumerate accounts, shells, UIDs, and privileged groups	High	Prevents long-lived unnoticed persistence.