Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Rule Tuning] Potential Sudo Hijacking #3745

Merged
merged 4 commits into from
Jun 6, 2024
Merged

[Rule Tuning] Potential Sudo Hijacking #3745

merged 4 commits into from
Jun 6, 2024

Conversation

Aegrah
Copy link
Contributor

@Aegrah Aegrah commented Jun 3, 2024

Summary

Research related to this PR is conducted and documented in https://github.com/elastic/ia-trade-team/issues/374. This issue also contains the query + validation aspect.

This PR:

  • Leverages the new .Ext field in Linux file events to detect potential Sudo Hijacking.
  • It reverts the new_terms change to EQL, as there are no FPs left in tuning based on the robust set of exclusions.

@Aegrah Aegrah added OS: Linux Rule: Tuning tweaking or tuning an existing rule Area: RAD Team: TRADE labels Jun 3, 2024
@Aegrah Aegrah self-assigned this Jun 3, 2024
@Aegrah Aegrah marked this pull request as ready for review June 3, 2024 11:45
Copy link
Contributor

@terrancedejesus terrancedejesus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice change for the rule and making use of .Ext fields 👍🏽

@Aegrah Aegrah merged commit 61ab035 into main Jun 6, 2024
9 checks passed
@Aegrah Aegrah deleted the tuning-sudo-hijacking branch June 6, 2024 09:59
protectionsmachine pushed a commit that referenced this pull request Jun 6, 2024
* [Rule Tuning] Potential Sudo Hijacking

* Update rules/linux/privilege_escalation_sudo_hijacking.toml

* Update rules/linux/privilege_escalation_sudo_hijacking.toml

(cherry picked from commit 61ab035)
protectionsmachine pushed a commit that referenced this pull request Jun 6, 2024
* [Rule Tuning] Potential Sudo Hijacking

* Update rules/linux/privilege_escalation_sudo_hijacking.toml

* Update rules/linux/privilege_escalation_sudo_hijacking.toml

(cherry picked from commit 61ab035)
protectionsmachine pushed a commit that referenced this pull request Jun 6, 2024
* [Rule Tuning] Potential Sudo Hijacking

* Update rules/linux/privilege_escalation_sudo_hijacking.toml

* Update rules/linux/privilege_escalation_sudo_hijacking.toml

(cherry picked from commit 61ab035)
protectionsmachine pushed a commit that referenced this pull request Jun 6, 2024
* [Rule Tuning] Potential Sudo Hijacking

* Update rules/linux/privilege_escalation_sudo_hijacking.toml

* Update rules/linux/privilege_escalation_sudo_hijacking.toml

(cherry picked from commit 61ab035)
protectionsmachine pushed a commit that referenced this pull request Jun 6, 2024
* [Rule Tuning] Potential Sudo Hijacking

* Update rules/linux/privilege_escalation_sudo_hijacking.toml

* Update rules/linux/privilege_escalation_sudo_hijacking.toml

(cherry picked from commit 61ab035)
protectionsmachine pushed a commit that referenced this pull request Jun 6, 2024
* [Rule Tuning] Potential Sudo Hijacking

* Update rules/linux/privilege_escalation_sudo_hijacking.toml

* Update rules/linux/privilege_escalation_sudo_hijacking.toml

(cherry picked from commit 61ab035)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants