security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1ce072a4e58238d94deae33ff8de25458ac129d5
sigma-rules/hunting/linux/docs/privilege_escalation_via_existing_sudoers.md
T
Terrance DeJesus 70411664cf [Bug] Normalize Hunting Index Link Generation (#3872) 
* normalizing hunting link generation

* replacing header

* adjusting quotes in f-strings

* added source file to metadata

* removed os dependency

* address bug in source file links

* reverting TOML loading

* change all List type hinting to list

* change all List type hinting to list

* fixed accented characters in queries

* reverted accent character removal; moved macos query and MD to macos folder
2024-07-10 11:01:59 -04:00

1.2 KiB
Raw Blame History

Privilege Escalation Identification via Existing Sudoers File

Metadata

  • Author: Elastic

  • Description: This hunt identifies entries in the sudoers file on Linux systems using OSQuery. The sudoers file controls which users have administrative privileges and can be a target for attackers seeking to escalate their privileges. This hunt lists all sudoers rules for further analysis.

  • UUID: 6e57e6a6-f150-405d-b8be-e4e666a3a86d

  • Integration: endpoint

  • Language: [SQL]

  • Source File: Privilege Escalation Identification via Existing Sudoers File

Query

SELECT * FROM sudoers

Notes

  • Lists all entries in the sudoers file using OSQuery to detect potentially unauthorized or suspicious rules.
  • Requires additional data analysis and investigation into results to identify malicious or misconfigured sudoers entries.
  • Focuses on monitoring and analyzing administrative privileges granted through the sudoers file.

MITRE ATT&CK Techniques

License

  • Elastic License v2
Reference in New Issue View Git Blame Copy Permalink