security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
01c904f2ddfa7eebfcbdb8d84656ef6fb2f51631
sigma-rules/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml
T
Justin Ibarra 065bcd8018 Refresh ATT&CK data to v7.2 and expand threat validation (#330) 
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
2020-09-23 22:03:29 -08:00

59 lines
1.6 KiB
TOML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
[metadata]
creation_date = "2020/04/23"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/03"
[rule]
author = ["Elastic"]
description = """
An adversary may add the setuid bit to a file or directory in order to run a file with the privileges of the owning
user. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application
with the setuid bit to get code running in a different users context. Additionally, adversaries can use this mechanism
on their own malware to make sure they're able to execute in elevated contexts in the future.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "lucene"
license = "Elastic License"
max_signals = 33
name = "Setuid Bit Set via chmod"
risk_score = 21
rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
severity = "low"
tags = ["Elastic", "Linux"]
type = "query"
query = '''
event.category:process AND event.type:(start or process_started) AND process.name:chmod AND
process.args:(u+s OR /4[0-9]{3}/) AND
NOT user.name:root
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1166"
name = "Setuid and Setgid"
reference = "https://attack.mitre.org/techniques/T1166/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1166"
name = "Setuid and Setgid"
reference = "https://attack.mitre.org/techniques/T1166/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink