security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] SUID/SGUID Enumeration Detected (#2956)

Browse Source 
* [New Rule] SUID/SGUID Enumeration Detected

* Remove endgame compatibility

* readded endgame support after troubleshooting

* Update discovery_suid_sguid_enumeration.toml

* Update rules/linux/discovery_suid_sguid_enumeration.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
2023-08-03 09:57:30 +02:00
committed by GitHub
parent 716b621af2
commit 03110fb24c
1 changed files with 74 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/discovery_suid_sguid_enumeration.toml
+74
View File
@@ -0,0 +1,74 @@
[metadata]
creation_date = "2023/07/24"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/24"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID
(Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the
privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In
case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this
misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "SUID/SGUID Enumeration Detected"
risk_score = 21
rule_id = "5b06a27f-ad72-4499-91db-0c69667bffa5"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name == "find" and process.args : "-perm" and process.args : (
"/6000", "-6000", "/4000", "-4000", "/2000", "-2000", "/u=s", "-u=s", "/g=s", "-g=s", "/u=s,g=s", "/g=s,u=s"
) and
not user.Ext.real.id == "0" and not group.Ext.real.id == "0"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1083"
name = "File and Directory Discovery"
reference = "https://attack.mitre.org/techniques/T1083/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.001"
name = "Setuid and Setgid"
reference = "https://attack.mitre.org/techniques/T1548/001/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"