diff --git a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml new file mode 100644 index 000000000..3bd9d06be --- /dev/null +++ b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml @@ -0,0 +1,47 @@ +[metadata] +creation_date = "2023/07/27" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/27" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum +allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID +greater than INT_MAX to escalate privileges by spawning a shell through systemd-run. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Privilege Escalation via UID INT_MAX Bug Detected" +references = [ + "https://twitter.com/paragonsec/status/1071152249529884674", + "https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh", + "https://gitlab.freedesktop.org/polkit/polkit/-/issues/74"] +risk_score = 47 +rule_id = "d55436a8-719c-445f-92c4-c113ff2f9ba5" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] +timestamp_override = "event.ingested" +type = "eql" +query = ''' +process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and +process.name == "systemd-run" and process.args == "-t" and process.args_count >= 3 and user.id >= "1000000000" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/"