From 6ea11cd9adbe9800e33df74840e44c31393a2d52 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Wed, 18 Oct 2023 16:24:01 +0200 Subject: [PATCH] [New Rules] cap_setuid/cap_setgid privesc (#3075) * [New Rules] cap_setuid/cap_setgid privesc * Update persistence_setuid_setgid_capability_set.toml * Update rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update privilege_escalation_suspicious_cap_setuid_python_execution.toml * Update rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml * Update privilege_escalation_suspicious_cap_setuid_python_execution.toml --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- ...sistence_setuid_setgid_capability_set.toml | 58 +++++++++++++++++++ ...uspicious_cap_setuid_python_execution.toml | 58 +++++++++++++++++++ 2 files changed, 116 insertions(+) create mode 100644 rules/linux/persistence_setuid_setgid_capability_set.toml create mode 100644 rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml diff --git a/rules/linux/persistence_setuid_setgid_capability_set.toml b/rules/linux/persistence_setuid_setgid_capability_set.toml new file mode 100644 index 000000000..2ad182e1f --- /dev/null +++ b/rules/linux/persistence_setuid_setgid_capability_set.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2023/09/05" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/05" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID) +and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the +file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, +allowing them to maintain control over a compromised system with elevated permissions. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Setcap setuid/setgid Capability Set" +risk_score = 47 +rule_id = "f5c005d3-4e17-48b0-9cd7-444d48857f97" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "setcap" and process.args : "cap_set?id+ep" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml new file mode 100644 index 000000000..269e058a4 --- /dev/null +++ b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2023/09/05" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/09/05" + +[rule] +author = ["Elastic"] +description = """ +This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python, +followed by a uid or gid change to the root user. This sequence of events may indicate successful privilege escalation. +Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated +privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the +privileges that are set on the binary that is being executed. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Privilege Escalation via Python cap_setuid" +risk_score = 47 +rule_id = "a0ddb77b-0318-41f0-91e4-8c1b5528834f" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"] +type = "eql" +query = ''' +sequence by host.id, process.entity_id with maxspan=1s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.args : "import os;os.set?id(0);os.system(*)" and process.args : "*python*" and user.id != "0"] + [process where host.os.type == "linux" and event.action in ("uid_change", "gid_change") and event.type == "change" and + (user.id == "0" or group.id == "0")] +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" + +[[rule.threat.technique.subtechnique]] +id = "T1548.001" +name = "Setuid and Setgid" +reference = "https://attack.mitre.org/techniques/T1548/001/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +