From 23bc4a0a102194dc808f661310e982ff031724d7 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 3 Jun 2024 13:31:22 +0200 Subject: [PATCH 1/3] [Rule Tuning] Potential Sudo Hijacking --- .../privilege_escalation_sudo_hijacking.toml | 49 ++++++++++--------- 1 file changed, 27 insertions(+), 22 deletions(-) diff --git a/rules/linux/privilege_escalation_sudo_hijacking.toml b/rules/linux/privilege_escalation_sudo_hijacking.toml index cc224a4bab0..5a3c26f6401 100644 --- a/rules/linux/privilege_escalation_sudo_hijacking.toml +++ b/rules/linux/privilege_escalation_sudo_hijacking.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/26" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/03" [rule] author = ["Elastic"] @@ -12,10 +12,10 @@ replace it with a custom binary or script that can read the user's password in c enable persistence onto the system every time the sudo binary is executed. """ from = "now-9m" -index = ["logs-endpoint.events.*", "endgame-*"] -language = "kuery" +index = ["logs-endpoint.events.*"] +language = "eql" license = "Elastic License v2" -name = "Potential Sudo Hijacking Detected" +name = "Potential Sudo Hijacking" references = ["https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/"] risk_score = 47 rule_id = "88fdcb8c-60e5-46ee-9206-2663adf1b1ce" @@ -51,53 +51,58 @@ tags = [ "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", - "Data Source: Elastic Endgame", "Data Source: Elastic Defend", ] timestamp_override = "event.ingested" -type = "new_terms" - +type = "eql" query = ''' -host.os.type:linux and event.category:file and event.type:("creation" or "file_create_event") and -file.path:("/usr/bin/sudo" or "/bin/sudo") and not process.name:(docker or dockerd or pacman) +file where host.os.type == "linux" and event.action in ("creation", "rename") and +file.path in ("/usr/bin/sudo", "/bin/sudo") and not ( + file.Ext.original.path in ("/usr/bin/sudo", "/bin/sudo") or + process.executable in ( + "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf", + "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum", "/bin/dnf", "/usr/bin/dnf", + "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", "/bin/pacman", "/usr/bin/pacman", + "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", "/usr/local/sbin/apk", "/usr/bin/apt", + "/usr/sbin/pacman", "/usr/bin/microdnf", "/usr/local/bin/dockerd", "/usr/local/bin/podman", "/usr/local/bin/dnf", + "/kaniko/executor", "/proc/self/exe", "/usr/bin/apt-get", "/usr/bin/apt-cache", "/usr/bin/apt-mark", + ) or + file.Ext.original.extension == "dpkg-new" or + process.executable : ( + "/nix/store/*", "/var/lib/dpkg/*", "/tmp/vmis.*", "/snap/*", "/dev/fd/*", "/var/lib/docker/*" + ) or + process.executable == null or + (process.name == "sed" and file.name : "sed*") +) ''' - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + [[rule.threat.technique.subtechnique]] id = "T1548.003" name = "Sudo and Sudo Caching" reference = "https://attack.mitre.org/techniques/T1548/003/" - - [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" - [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - -[rule.new_terms] -field = "new_terms_fields" -value = ["host.id", "user.id", "process.executable"] -[[rule.new_terms.history_window_start]] -field = "history_window_start" -value = "now-7d" - - From 0cac2a50feb9a0d9dd95ab0c68bca9c2d3898e3d Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 6 Jun 2024 11:30:39 +0200 Subject: [PATCH 2/3] Update rules/linux/privilege_escalation_sudo_hijacking.toml --- rules/linux/privilege_escalation_sudo_hijacking.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/privilege_escalation_sudo_hijacking.toml b/rules/linux/privilege_escalation_sudo_hijacking.toml index 5a3c26f6401..74dbba5598e 100644 --- a/rules/linux/privilege_escalation_sudo_hijacking.toml +++ b/rules/linux/privilege_escalation_sudo_hijacking.toml @@ -12,7 +12,7 @@ replace it with a custom binary or script that can read the user's password in c enable persistence onto the system every time the sudo binary is executed. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Potential Sudo Hijacking" From 7430c7346ae85099667598e90f5d0f64ccdcd552 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 6 Jun 2024 11:50:34 +0200 Subject: [PATCH 3/3] Update rules/linux/privilege_escalation_sudo_hijacking.toml --- rules/linux/privilege_escalation_sudo_hijacking.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/privilege_escalation_sudo_hijacking.toml b/rules/linux/privilege_escalation_sudo_hijacking.toml index 74dbba5598e..1f9c23cd593 100644 --- a/rules/linux/privilege_escalation_sudo_hijacking.toml +++ b/rules/linux/privilege_escalation_sudo_hijacking.toml @@ -65,7 +65,7 @@ file.path in ("/usr/bin/sudo", "/bin/sudo") and not ( "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic", "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk", "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/usr/bin/microdnf", "/usr/local/bin/dockerd", "/usr/local/bin/podman", "/usr/local/bin/dnf", - "/kaniko/executor", "/proc/self/exe", "/usr/bin/apt-get", "/usr/bin/apt-cache", "/usr/bin/apt-mark", + "/kaniko/executor", "/proc/self/exe", "/usr/bin/apt-get", "/usr/bin/apt-cache", "/usr/bin/apt-mark" ) or file.Ext.original.extension == "dpkg-new" or process.executable : (