IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default.
Rule type: query
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also
Additional look-back time)
Maximum alerts per execution: 100
- Threat Detection
Added (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
event.category:process and event.type:(start or process_started) and process.name:dsenableroot and not process.args:"-d"
Framework: MITRE ATT&CKTM
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
Intro to Kibana
ELK for Logs & Metrics