Terrance DeJesus
f0b2cb7c87
* added 'Uncommon Process Execution from Suspicious Directory' hunt * adds all linux hunting files * moves linux hunting files to queries folder * adds generated docs * fixing windows hunts * fixing windows hunts * updated README * Removed 2, updated a few, changed some names/descriptions and added list of str * updated windows for language schema changes, regenerated docs; updated README and index * changed UUIDs to hex only with standard hyphen format * removing unecessary docs * Fixed queries based on Samir feedback * ++ * regenerating linux docs * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_capitalized_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * Update * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * regenerating linux docs --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
23 lines
942 B
TOML
23 lines
942 B
TOML
[hunt]
|
|
author = "Elastic"
|
|
description = """
|
|
This hunt identifies entries in the sudoers file on Linux systems using OSQuery. The sudoers file controls which users have administrative privileges and can be a target for attackers seeking to escalate their privileges. This hunt lists all sudoers rules for further analysis.
|
|
"""
|
|
integration = ["endpoint"]
|
|
uuid = "6e57e6a6-f150-405d-b8be-e4e666a3a86d"
|
|
name = "Privilege Escalation Identification via Existing Sudoers File"
|
|
language = ["SQL"]
|
|
license = "Elastic License v2"
|
|
notes = [
|
|
"Lists all entries in the sudoers file using OSQuery to detect potentially unauthorized or suspicious rules.",
|
|
"Requires additional data analysis and investigation into results to identify malicious or misconfigured sudoers entries.",
|
|
"Focuses on monitoring and analyzing administrative privileges granted through the sudoers file."
|
|
]
|
|
mitre = ["T1548.003"]
|
|
|
|
query = [
|
|
'''
|
|
SELECT * FROM sudoers
|
|
'''
|
|
]
|