security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Potential Privilege Escalation via OverlayFS (#2974)

Browse Source 
* [New Rule] Privilege Escalation via OverlayFS

* Layout change

* Revert "[New Rule] Privilege Escalation via OverlayFS"

This reverts commit f3262d179bc5f54ae5380ffa50d67041fb141c26.

* Made rule broader

* Update privilege_escalation_overlayfs_local_privesc.toml

* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml

* Update user.id to strings

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
2023-07-31 19:15:11 +02:00
committed by GitHub
parent d1db3a0048
commit b8bb2da932
1 changed files with 48 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/privilege_escalation_overlayfs_local_privesc.toml
+48
View File
@@ -0,0 +1,48 @@
[metadata]
creation_date = "2023/07/28"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/28"
[rule]
author = ["Elastic"]
description = """
Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's
modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the
ability to escalate privileges to root on the affected machine.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Privilege Escalation via OverlayFS"
references = [
"https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability",
"https://twitter.com/liadeliyahu/status/1684841527959273472"]
risk_score = 73
rule_id = "b51dbc92-84e2-4af1-ba47-65183fcd0c57"
severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability"]
type = "eql"
query = '''
sequence by process.parent.entity_id, host.id with maxspan=5s
[process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
process.name == "unshare" and process.args : ("-r", "-rm", "m") and process.args : "*cap_setuid*" and user.id != "0"]
[process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and
user.id == "0"]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1068"
name = "Exploitation for Privilege Escalation"
reference = "https://attack.mitre.org/techniques/T1068/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"