AN1605: Analytic 1605

Adversary invokes 'useradd', 'adduser', or equivalent system commands or scripts to create local users. Detection focuses on command execution and audit trail of passwd/shadow file modifications.

EnterpriseAN1605AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because unexpected local user creation on Linux can be an early warning of unauthorized persistence or account misuse. For leaders, the decision point is whether critical Linux systems have reliable evidence showing who created local accounts, when, from where, and whether sensitive account files changed.

Executive priority

Prioritize this where Linux servers support business-critical applications, regulated workloads, or privileged administration paths. Ask whether SOC and incident response teams can quickly distinguish approved administration from suspicious local account creation, and whether audit evidence is sufficient for access governance and post-incident review.

Technical view

Validate monitoring for execution of `useradd`, `adduser`, or equivalent local user creation commands and scripts on Linux. Also validate audit trails for modifications to local account stores such as passwd and shadow files. Because no ATT&CK tactic or relationship context is supplied, treat this as a focused detection analytic rather than a complete behavior chain; local baselining and administrative context are required.

Likely telemetry

Linux process execution telemetry for account-management commands
Command-line arguments and parent process context where available
Linux audit logs or equivalent host audit records
File modification events for passwd and shadow account files
Authentication or session context tying the action to a user, service account, or administrative session

Detection direction

Confirm that Linux endpoints and servers actually collect process execution and file modification evidence relevant to local account creation.
Tune for approved administrative tools, provisioning scripts, and configuration management activity to reduce false positives.
Correlate command execution with passwd/shadow modifications to strengthen confidence.
Review gaps on systems without command-line logging, auditd-style telemetry, or centralized log forwarding.
Investigate unusual creators, unexpected parent processes, off-hours activity, or account creation outside approved change processes.

Mitigation priorities

Maintain an approved process for local account creation and require administrative accountability.
Limit who can create local Linux users through least privilege and controlled sudo or administrative access.
Centralize identity where feasible so local accounts are minimized and exceptions are documented.
Protect and monitor local account files for unauthorized modification.
Use change management and audit review to reconcile expected account creation with observed telemetry.

Analyst notes and limits

The supplied object is a detection analytic for Linux focused on local user creation commands and audit evidence of passwd/shadow changes. No official detection text, tactic mapping, aliases, labels, or relationship context were supplied, so environment-specific baselines are essential.

This take is limited to the official STIX fields, external reference, and absence of supplied relationships. It does not assert active exploitation, attribution, business impact, or guaranteed detection coverage. Local telemetry quality and administrative practices determine practical value.

Official MITRE ATT&CK definition

Analytic 1605

Adversary invokes 'useradd', 'adduser', or equivalent system commands or scripts to create local users. Detection focuses on command execution and audit trail of passwd/shadow file modifications.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: d21d6ec6d3cf40a4...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`d21d6ec6d3cf…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1605
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use