From d270dc542c6b47fc883f553414712979c9749e4d Mon Sep 17 00:00:00 2001
From: Milad Cheraghi <82805580+CheraghiMilad@users.noreply.github.com>
Date: Tue, 8 Oct 2024 23:39:13 +0330
Subject: [PATCH] Merge PR #5039 from @CheraghiMilad - Update `Local System
 Accounts Discovery - Linux`

update: Local System Accounts Discovery - Linux - Increase coverage by adding additional utilities such as "nano", "tail, "vim"
---------

Co-authored-by: Milad Cheraghi <cheraghimiladmail@gmail.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
---
 .../process_creation/proc_creation_lnx_local_account.yml  | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/rules/linux/process_creation/proc_creation_lnx_local_account.yml b/rules/linux/process_creation/proc_creation_lnx_local_account.yml
index 35b1422283e..40bccc49ac2 100644
--- a/rules/linux/process_creation/proc_creation_lnx_local_account.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_local_account.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
 author: Alejandro Ortuno, oscd.community
 date: 2020-10-08
-modified: 2022-11-27
+modified: 2024-08-10
 tags:
     - attack.discovery
     - attack.t1087.001
@@ -21,9 +21,13 @@ detection:
     selection_3:
         Image|endswith:
             - '/cat'
+            - '/ed'
             - '/head'
-            - '/tail'
             - '/more'
+            - '/nano'
+            - '/tail'
+            - '/vi'
+            - '/vim'
         CommandLine|contains:
             - '/etc/passwd'
             - '/etc/shadow'