security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Setuid / Setgid Bit Set via chmod (#1032)

Browse Source 
* [Rule Tuning] Setuid / Setgid Bit Set via chmod

* update date

* Update rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
This commit is contained in:
Samirbous
2021-04-14 16:41:37 +02:00
committed by GitHub
parent 2926e98c5d
commit 00923dcde1
1 changed files with 26 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
+26 -4
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/04/23"
maturity = "production"
updated_date = "2021/03/03"
updated_date = "2021/03/10"
[rule]
author = ["Elastic"]
@@ -26,8 +26,31 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:process AND event.type:(start OR process_started) AND process.name:chmod AND
process.args:("+s" OR "u+s" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/)
event.category:process AND event.type:(start OR process_started) AND
process.name:chmod AND process.args:("+s" OR "u+s" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/) AND
NOT process.args:
(
/.*\/Applications\/VirtualBox.app\/.+/ OR
/\/usr\/local\/lib\/python.+/ OR
/\/var\/folders\/.+\/FP.*nstallHelper/ OR
/\/Library\/Filesystems\/.+/ OR
/\/usr\/lib\/virtualbox\/.+/ OR
/\/Library\/Application.*/ OR
"/run/postgresql" OR
"/var/crash" OR
"/var/run/postgresql" OR
/\/usr\/bin\/.+/ OR /\/usr\/local\/share\/.+/ OR
/\/Applications\/.+/ OR /\/usr\/libexec\/.+/ OR
"/var/metrics" OR /\/var\/lib\/dpkg\/.+/ OR
/\/run\/log\/journal\/.*/ OR
\/Users\/*\/.minikube\/bin\/docker-machine-driver-hyperkit
) AND
NOT process.parent.executable:
(
/\/var\/lib\/docker\/.+/ OR
"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service" OR
"/var/lib/dpkg/info/whoopsie.postinst"
)
'''
@@ -55,4 +78,3 @@ framework = "MITRE ATT&CK"
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"