security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Revert "[Tuning] Namespace Manipulation Using Unshare (#5989)" (#6023)

Browse Source 
This reverts commit 175e043adf.
This commit is contained in:
Mika Ayenson, PhD
2026-05-01 08:23:55 -05:00
committed by GitHub
parent b399d856a1
commit a1458f0fd0
1 changed files with 10 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/privilege_escalation_unshare_namespace_manipulation.toml
+10 -16
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2022/08/30"
integration = ["endpoint", "sentinel_one_cloud_funnel", "auditd_manager", "cloud_defend"]
integration = ["endpoint", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2026/04/27"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
@@ -12,7 +12,7 @@ or escape container security boundaries. Threat actors have utilized this binary
host and access other resources or escalate privileges.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-auditd_manager.auditd-*", "logs-cloud_defend.process*", "endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
index = ["auditbeat-*", "endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
language = "eql"
license = "Elastic License v2"
name = "Namespace Manipulation Using Unshare"
@@ -95,31 +95,25 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
severity = "medium"
tags = [
"Domain: Endpoint",
"Domain: Container",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Data Source: Elastic Endgame",
"Data Source: Elastic Defend",
"Data Source: SentinelOne",
"Data Source: Auditd Manager",
"Data Source: Elastic Defend for Containers",
"Resources: Investigation Guide"
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event", "start", "executed") and
process.name: "unshare" and not (
?process.parent.executable: ("/usr/bin/udevadm", "*/lib/systemd/systemd-udevd", "/usr/bin/unshare") or
(process.args == "/usr/bin/snap" and not ?process.parent.name in ("zz-proxmox-boot", "java")) or
?process.parent.args like (
process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "exec_event", "start") and
process.executable: "/usr/bin/unshare" and not (
process.parent.executable: ("/usr/bin/udevadm", "*/lib/systemd/systemd-udevd", "/usr/bin/unshare") or
process.args == "/usr/bin/snap" and not process.parent.name in ("zz-proxmox-boot", "java") or
process.parent.args like (
"/etc/kernel/postinst.d/zz-proxmox-boot", "/opt/openssh/sbin/sshd", "/usr/sbin/sshd",
"/snap/*", "/home/*/.local/share/JetBrains/Toolbox/*"
) or
(process.args == "--propagation" and process.args == "private" and process.args:"/etc/kernel/post*.d/zz-proxmox-boot") or
(process.args == "--fork" and process.args == "--kill-child") or
process.args like ("/usr/bin/os-prober", "/usr/bin/linux-boot-prober", "/opt/SIGOS/sitedata/exec/*")
)
)
'''