security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Potential CVE-2025-32463 Sudo Chroot Execution Attempt (#5227)

Browse Source
This commit is contained in:
Ruben Groenewoud
2025-10-17 09:29:17 +02:00
committed by GitHub
parent 1653183cd4
commit a3cb002ef4
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/privilege_escalation_cve_2025_32463_sudo_chroot_execution.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2025/10/01"
integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/10/01"
updated_date = "2025/10/15"
[rule]
author = ["Elastic"]
@@ -38,7 +38,7 @@ This rule highlights sudo invoked with the chroot (-R/--chroot) option outside n
- Extract the chroot target path from the event and enumerate its etc and lib directories for attacker-seeded NSS artifacts (nsswitch.conf, libnss_*, ld.so.preload) and fake passwd/group files, noting recent mtime, ownership, and world-writable files.
- Pivot to file-creation and modification telemetry to identify processes and users that populated that path shortly before execution (e.g., curl, wget, tar, git, gcc), linking them to the invoking user to establish intent.
- Review session and process details to see if a shell or interpreter was launched inside the chroot and whether an euid transition to 0 occurred, indicating a successful privilege escalation.
- Confirm sudos package version and build options and the users sudoers policy (secure_path/env_* settings and any NOPASSWD allowances) to assess exploitability and whether chroot usage was authorized.
- Confirm sudo's package version and build options and the users sudoers policy (secure_path/env_* settings and any NOPASSWD allowances) to assess exploitability and whether chroot usage was authorized.
- Collect and preserve the chroot directory contents and relevant audit/log artifacts, and scope by searching for similar chroot invocations or NSS file seeds across the host and fleet.
### False positive analysis
@@ -105,7 +105,7 @@ type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "executed", "process_started", "ProcessRollup2") and
process.name == "sudo" and process.args in ("-R", "--chroot") and
process.name == "sudo" and process.args like ("-R", "--chroot*") and
// To enforce the -R and --chroot arguments to be for sudo specifically, while wildcarding potential full sudo paths
process.command_line like ("*sudo -R*", "*sudo --chroot*")
'''