From b8bb2da93269e48fb6c8ead5fc5e20b6d1202226 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 31 Jul 2023 19:15:11 +0200 Subject: [PATCH] [New Rule] Potential Privilege Escalation via OverlayFS (#2974) * [New Rule] Privilege Escalation via OverlayFS * Layout change * Revert "[New Rule] Privilege Escalation via OverlayFS" This reverts commit f3262d179bc5f54ae5380ffa50d67041fb141c26. * Made rule broader * Update privilege_escalation_overlayfs_local_privesc.toml * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml * Update user.id to strings --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --- ...ge_escalation_overlayfs_local_privesc.toml | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 rules/linux/privilege_escalation_overlayfs_local_privesc.toml diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml new file mode 100644 index 000000000..aee04b9c9 --- /dev/null +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -0,0 +1,48 @@ +[metadata] +creation_date = "2023/07/28" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/28" + +[rule] +author = ["Elastic"] +description = """ +Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's +modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the +ability to escalate privileges to root on the affected machine. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Privilege Escalation via OverlayFS" +references = [ + "https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability", + "https://twitter.com/liadeliyahu/status/1684841527959273472"] +risk_score = 73 +rule_id = "b51dbc92-84e2-4af1-ba47-65183fcd0c57" +severity = "high" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability"] +type = "eql" +query = ''' +sequence by process.parent.entity_id, host.id with maxspan=5s + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name == "unshare" and process.args : ("-r", "-rm", "m") and process.args : "*cap_setuid*" and user.id != "0"] + [process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and + user.id == "0"] +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/"