rules/linux/discovery_sudo_allowed_command_enumeration.toml

[metadata]
creation_date = "2023/08/30"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/30"

[rule]
author = ["Elastic"]
description = """
This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for 
the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions,
potentially allowing to escalate privileges to root. 
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Sudo Command Enumeration Detected"
risk_score = 21
rule_id = "28d39238-0c01-420a-b77a-24e5a7378663"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
process.name == "sudo" and process.args == "-l" and process.args_count == 2 and
process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and 
not group.Ext.real.id : "0" and not user.Ext.real.id : "0"
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1033"
name = "System Owner/User Discovery"
reference = "https://attack.mitre.org/techniques/T1033/"

[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[New Rule] Sudo Command Enumeration Detected (#2946 ) 2023-08-03 09:39:16 +02:00			`[metadata]`
[Rule Tuning] 3 tunings to reduce FPs (#3058 ) 2023-08-31 17:16:57 +02:00			`creation_date = "2023/08/30"`
[New Rule] Sudo Command Enumeration Detected (#2946 ) 2023-08-03 09:39:16 +02:00			`integration = ["endpoint"]`
			`maturity = "production"`
			`min_stack_comments = "New fields added: required_fields, related_integrations, setup"`
			`min_stack_version = "8.3.0"`
[Rule Tuning] 3 tunings to reduce FPs (#3058 ) 2023-08-31 17:16:57 +02:00			`updated_date = "2023/08/30"`
[New Rule] Sudo Command Enumeration Detected (#2946 ) 2023-08-03 09:39:16 +02:00
			`[rule]`
			`author = ["Elastic"]`
			`description = """`
			`This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for`
			`the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions,`
			`potentially allowing to escalate privileges to root.`
			`"""`
			`from = "now-9m"`
			`index = ["logs-endpoint.events.*"]`
			`language = "eql"`
			`license = "Elastic License v2"`
			`name = "Sudo Command Enumeration Detected"`
			`risk_score = 21`
			`rule_id = "28d39238-0c01-420a-b77a-24e5a7378663"`
			`severity = "low"`
[Security Content] Include "Data Source: Elastic Defend" tag (#3002 ) 2023-09-05 15:22:01 -03:00			`tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]`
[New Rule] Sudo Command Enumeration Detected (#2946 ) 2023-08-03 09:39:16 +02:00			`timestamp_override = "event.ingested"`
			`type = "eql"`
			`query = '''`
			`process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and`
[Rule Tuning] 3 tunings to reduce FPs (#3058 ) 2023-08-31 17:16:57 +02:00			`process.name == "sudo" and process.args == "-l" and process.args_count == 2 and`
[New Rule] Sudo Command Enumeration Detected (#2946 ) 2023-08-03 09:39:16 +02:00			`process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and`
			`not group.Ext.real.id : "0" and not user.Ext.real.id : "0"`
			`'''`

			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`

			`[[rule.threat.technique]]`
			`id = "T1033"`
			`name = "System Owner/User Discovery"`
			`reference = "https://attack.mitre.org/techniques/T1033/"`

			`[rule.threat.tactic]`
			`id = "TA0007"`
			`name = "Discovery"`
			`reference = "https://attack.mitre.org/tactics/TA0007/"`