security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml
T
phantinuss 8d3f8acb60 fix: none --> Unknown
2022-03-16 14:19:21 +01:00

29 lines
924 B
YAML
Raw Blame History

title: Linux Capabilities Discovery
id: fe10751f-1995-40a5-aaa2-c97ccb4123fe
description: Detects attempts to discover the files with setuid/setgid capabilitiy on them. That would allow adversary to escalate their privileges.
author: 'Pawel Mazur'
status: experimental
date: 2021/11/28
references:
- https://man7.org/linux/man-pages/man8/getcap.8.html
- https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/
- https://mn3m.info/posts/suid-vs-capabilities/
- https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099
logsource:
product: linux
service: auditd
detection:
getcap:
type: EXECVE
a0: getcap
a1: '-r'
a2: '/'
condition: getcap
tags:
- attack.collection
- attack.privilege_escalation
- attack.t1123
- attack.t1548
falsepositives:
- Unknown
level: low
Reference in New Issue View Git Blame Copy Permalink