2019-11-12 23:12:27 +01:00
|
|
|
title: Privilege Escalation Preparation
|
|
|
|
|
id: 444ade84-c362-4260-b1f3-e45e20e1a905
|
2021-11-27 11:33:14 +01:00
|
|
|
status: test
|
2019-04-07 15:36:19 +02:00
|
|
|
description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.
|
|
|
|
|
references:
|
2022-08-04 18:08:08 +01:00
|
|
|
- https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
|
|
|
|
|
- https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/
|
|
|
|
|
- https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml
|
2022-10-25 08:53:44 +02:00
|
|
|
author: Patrick Bareiss
|
2021-11-27 11:33:14 +01:00
|
|
|
date: 2019/04/05
|
2022-11-01 12:32:46 +01:00
|
|
|
modified: 2022/11/01
|
2022-10-25 08:53:44 +02:00
|
|
|
tags:
|
|
|
|
|
- attack.execution
|
|
|
|
|
- attack.t1059.004
|
2019-04-07 15:36:19 +02:00
|
|
|
logsource:
|
2022-08-04 18:08:08 +01:00
|
|
|
product: linux
|
2019-04-07 15:36:19 +02:00
|
|
|
detection:
|
2022-08-04 18:08:08 +01:00
|
|
|
keywords:
|
2019-04-07 15:36:19 +02:00
|
|
|
# distribution type and kernel version
|
2022-08-04 18:08:08 +01:00
|
|
|
- 'cat /etc/issue'
|
|
|
|
|
- 'cat /etc/*-release'
|
|
|
|
|
- 'cat /proc/version'
|
|
|
|
|
- 'uname -a'
|
|
|
|
|
- 'uname -mrs'
|
|
|
|
|
- 'rpm -q kernel'
|
|
|
|
|
- 'dmesg | grep Linux'
|
|
|
|
|
- 'ls /boot | grep vmlinuz-'
|
2019-04-07 15:36:19 +02:00
|
|
|
# environment variables
|
2022-08-04 18:08:08 +01:00
|
|
|
- 'cat /etc/profile'
|
|
|
|
|
- 'cat /etc/bashrc'
|
|
|
|
|
- 'cat ~/.bash_profile'
|
|
|
|
|
- 'cat ~/.bashrc'
|
|
|
|
|
- 'cat ~/.bash_logout'
|
2019-04-07 15:36:19 +02:00
|
|
|
# applications and services as root
|
2022-08-04 18:08:08 +01:00
|
|
|
- 'ps -aux | grep root'
|
|
|
|
|
- 'ps -ef | grep root'
|
2019-04-07 15:36:19 +02:00
|
|
|
# scheduled tasks
|
2022-08-04 18:08:08 +01:00
|
|
|
- 'crontab -l'
|
|
|
|
|
- 'cat /etc/cron*'
|
|
|
|
|
- 'cat /etc/cron.allow'
|
|
|
|
|
- 'cat /etc/cron.deny'
|
|
|
|
|
- 'cat /etc/crontab'
|
2019-04-07 15:36:19 +02:00
|
|
|
# search for plain text user/passwords
|
2022-08-04 18:08:08 +01:00
|
|
|
- 'grep -i user *'
|
|
|
|
|
- 'grep -i pass *'
|
2019-04-07 15:36:19 +02:00
|
|
|
# networking
|
2022-08-04 18:08:08 +01:00
|
|
|
- 'ifconfig'
|
|
|
|
|
- 'cat /etc/network/interfaces'
|
|
|
|
|
- 'cat /etc/sysconfig/network'
|
|
|
|
|
- 'cat /etc/resolv.conf'
|
|
|
|
|
- 'cat /etc/networks'
|
|
|
|
|
- 'iptables -L'
|
2022-10-31 09:38:45 -04:00
|
|
|
- 'ip6tables -L'
|
2022-08-04 18:08:08 +01:00
|
|
|
- 'lsof -i'
|
|
|
|
|
- 'netstat -antup'
|
|
|
|
|
- 'netstat -antpx'
|
|
|
|
|
- 'netstat -tulpn'
|
|
|
|
|
- 'arp -e'
|
|
|
|
|
- 'route'
|
2019-04-07 15:36:19 +02:00
|
|
|
# sensitive files
|
2022-08-04 18:08:08 +01:00
|
|
|
- 'cat /etc/passwd'
|
|
|
|
|
- 'cat /etc/group'
|
|
|
|
|
- 'cat /etc/shadow'
|
2019-09-06 11:25:48 -04:00
|
|
|
# sticky bits
|
2022-08-04 18:08:08 +01:00
|
|
|
- 'find / -perm -u=s'
|
|
|
|
|
- 'find / -perm -g=s'
|
|
|
|
|
- 'find / -perm -4000'
|
|
|
|
|
- 'find / -perm -2000'
|
|
|
|
|
# world writable files
|
|
|
|
|
- 'find / -perm -o+w'
|
|
|
|
|
timeframe: 30m
|
|
|
|
|
condition: keywords | count() by host > 6
|
2019-04-07 15:36:19 +02:00
|
|
|
falsepositives:
|
2022-08-04 18:08:08 +01:00
|
|
|
- Troubleshooting on Linux Machines
|
2020-09-13 22:03:04 -06:00
|
|
|
level: medium
|
