security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Privilege Elevation via Sudoers File Modification (#917)

Browse Source 
* [New Rule] Privilege Elevation via Sudoers File Modification

* Update privilege_escalation_echo_nopasswd_sudoers.toml

* group args

* Update rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* lint rule

* added subtechnique

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
This commit is contained in:
Samirbous
2021-02-09 21:58:31 +01:00
committed by GitHub
parent 424a182383
commit 769ced1001
1 changed files with 44 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml
+44
View File
@@ -0,0 +1,44 @@
[metadata]
creation_date = "2021/01/26"
maturity = "production"
updated_date = "2021/01/26"
[rule]
author = ["Elastic"]
description = """
A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage
of these configurations to execute commands as other users or spawn processes with higher privileges.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License"
name = "Potential Privilege Escalation via Sudoers File Modification"
risk_score = 73
rule_id = "76152ca1-71d0-4003-9e37-0983e12832da"
severity = "high"
tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Privilege Escalation"]
type = "query"
query = '''
event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.003"
name = "Sudo and Sudo Caching"
reference = "https://attack.mitre.org/techniques/T1548/003/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"