diff --git a/rules/linux/discovery_suid_sguid_enumeration.toml b/rules/linux/discovery_suid_sguid_enumeration.toml new file mode 100644 index 000000000..0590ae316 --- /dev/null +++ b/rules/linux/discovery_suid_sguid_enumeration.toml @@ -0,0 +1,74 @@ +[metadata] +creation_date = "2023/07/24" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/24" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID +(Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the +privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In +case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this +misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "SUID/SGUID Enumeration Detected" +risk_score = 21 +rule_id = "5b06a27f-ad72-4499-91db-0c69667bffa5" +severity = "low" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and +process.name == "find" and process.args : "-perm" and process.args : ( + "/6000", "-6000", "/4000", "-4000", "/2000", "-2000", "/u=s", "-u=s", "/g=s", "-g=s", "/u=s,g=s", "/g=s,u=s" +) and +not user.Ext.real.id == "0" and not group.Ext.real.id == "0" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1083" +name = "File and Directory Discovery" +reference = "https://attack.mitre.org/techniques/T1083/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/"