Skip to content

Commit

Permalink
[Rule Tuning] Potential Sudo Hijacking (#3745)
Browse files Browse the repository at this point in the history
* [Rule Tuning] Potential Sudo Hijacking

* Update rules/linux/privilege_escalation_sudo_hijacking.toml

* Update rules/linux/privilege_escalation_sudo_hijacking.toml
  • Loading branch information
Aegrah authored Jun 6, 2024
1 parent 342fde0 commit 61ab035
Showing 1 changed file with 27 additions and 22 deletions.
49 changes: 27 additions & 22 deletions rules/linux/privilege_escalation_sudo_hijacking.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2023/07/26"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/06/03"

[rule]
author = ["Elastic"]
Expand All @@ -12,10 +12,10 @@ replace it with a custom binary or script that can read the user's password in c
enable persistence onto the system every time the sudo binary is executed.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
language = "kuery"
index = ["logs-endpoint.events.file*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Sudo Hijacking Detected"
name = "Potential Sudo Hijacking"
references = ["https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/"]
risk_score = 47
rule_id = "88fdcb8c-60e5-46ee-9206-2663adf1b1ce"
Expand Down Expand Up @@ -51,53 +51,58 @@ tags = [
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Tactic: Persistence",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "new_terms"

type = "eql"
query = '''
host.os.type:linux and event.category:file and event.type:("creation" or "file_create_event") and
file.path:("/usr/bin/sudo" or "/bin/sudo") and not process.name:(docker or dockerd or pacman)
file where host.os.type == "linux" and event.action in ("creation", "rename") and
file.path in ("/usr/bin/sudo", "/bin/sudo") and not (
file.Ext.original.path in ("/usr/bin/sudo", "/bin/sudo") or
process.executable in (
"/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf",
"/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", "/bin/dnf", "/usr/bin/dnf",
"/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", "/bin/pacman", "/usr/bin/pacman",
"/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", "/usr/local/sbin/apk", "/usr/bin/apt",
"/usr/sbin/pacman", "/usr/bin/microdnf", "/usr/local/bin/dockerd", "/usr/local/bin/podman", "/usr/local/bin/dnf",
"/kaniko/executor", "/proc/self/exe", "/usr/bin/apt-get", "/usr/bin/apt-cache", "/usr/bin/apt-mark"
) or
file.Ext.original.extension == "dpkg-new" or
process.executable : (
"/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/var/lib/docker/*"
) or
process.executable == null or
(process.name == "sed" and file.name : "sed*")
)
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"

[[rule.threat.technique.subtechnique]]
id = "T1548.003"
name = "Sudo and Sudo Caching"
reference = "https://attack.mitre.org/techniques/T1548/003/"



[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"


[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"

[rule.new_terms]
field = "new_terms_fields"
value = ["host.id", "user.id", "process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"


0 comments on commit 61ab035

Please sign in to comment.