security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
06d352d59ee7522f4607ac2fc66703bf2c8ccdd3
sigma-rules/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml
T
Justin Ibarra c1a0438f45 [Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706) 
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
2020-12-18 12:46:16 -09:00

58 lines
1.7 KiB
TOML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
[metadata]
creation_date = "2020/04/23"
maturity = "production"
updated_date = "2020/12/17"
[rule]
author = ["Elastic"]
description = """
An adversary may add the setuid bit to a file or directory in order to run a file with the privileges of the owning
user. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application
with the setuid bit to get code running in a different users context. Additionally, adversaries can use this mechanism
on their own malware to make sure they're able to execute in elevated contexts in the future.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "lucene"
license = "Elastic License"
max_signals = 33
name = "Setuid Bit Set via chmod"
risk_score = 21
rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
type = "query"
query = '''
event.category:process AND event.type:(start or process_started) AND process.name:chmod AND
process.args:(u+s OR /4[0-9]{3}/) AND
NOT user.name:root
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.001"
name = "Setuid and Setgid"
reference = "https://attack.mitre.org/techniques/T1548/001/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink