Beginner Pro

Monitoring User Account Activity Using Splunk

Use Sysmon for Linux to monitor and detect unauthorized user account activities, such as privilege escalations, account creations, deletions, or suspicious commands. Leverage Sysmon’s detailed logging capabilities to track and analyze user activity efficiently.

Self-Paced by Rajneesh Gupta

Overview

This project focuses on monitoring and detecting unauthorized user account activity on a Linux system using Sysmon for Linux. By leveraging Sysmon’s detailed event logging, students will gain hands-on experience identifying high-risk behaviors such as unauthorized account creation, privilege escalation attempts, suspicious command execution, and modifications to critical authentication files.

  • Deploy and configure Sysmon for Linux to capture detailed telemetry on user account manipulations and privilege-related activities

  • Monitor unauthorized actions such as user account creation/deletion, privilege escalation via sudo, and modifications to sensitive authentication files (/etc/passwd, /etc/shadow, /etc/sudoers).

  • Detect suspicious command execution patterns that may indicate malicious intent, including enumeration commands, privilege escalation tools, or altered user permissions.

  • Simulate real-world attack scenarios to understand how malicious user activity appears in Sysmon events and how attackers attempt persistence or lateral movement.

What You'll Learn

  • Deploying Sysmon for Linux for User Activity Monitoring

    Learn how to install and configure Sysmon for Linux to capture detailed telemetry on user account changes, privilege-related events, and sensitive file interactions.

  • Detecting Unauthorized Account Modifications

    Understand how to identify suspicious actions such as unauthorized user creation/deletion, password file modifications, and changes to /etc/passwd, /etc/shadow, or /etc/sudoers.

  • Monitoring Privilege Escalation Attempts

    See how Sysmon events expose high-risk behaviors like misuse of sudo, privilege escalation tools, and manipulations of user permissions.

Prerequisites

  • Linux system (Ubuntu recommended) with Sysmon for Linux installed
  • Basic understanding of Linux user management (useradd, passwd, sudo, groups)
  • Familiarity with authentication files (/etc/passwd, /etc/shadow, /etc/sudoers)

About Trainer

Rajneesh Gupta

Rajneesh Gupta

Rajneesh Gupta is a seasoned cybersecurity professional with over 11 years of industry experience. With a remarkable career focused on incident response, penetration testing, security compliance, and risk management, Rajneesh has established himself as a leading expert in the field. He is also an accomplished author, having penned the book "Hands-on with Blockchain and Cybersecurity". As a dedicated educator, Rajneesh has made a significant impact on the cybersecurity community by training over 60,000 students globally.

LinkedIn YouTube GitHub

Related Projects

Apache Server Log Analysis using Splunk
Pro Intermediate

Apache Server Log Analysis using Splunk

Detecting Brute Force, SQL Injection, XSS, and Suspicious Web Activity from Apache Access Logs with Splunk SIEM

Practical AWS Cloud Security Posture Assessment Using Scout Suite
Free Beginner

Practical AWS Cloud Security Posture Assessment Using Scout Suite

Identify real-world AWS attack surfaces through visual security posture analysis.

Wazuh + n8n + Anyrun: Automated Malware Analysis
Pro Intermediate

Wazuh + n8n + Anyrun: Automated Malware Analysis

Automate malware analysis by sending Wazuh-detected suspicious files into ANY.RUN, retrieving detailed reports and IOCs, and integrating results back into your SOC workflow.