security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
207d94e51cdffd3cb36dd4174322d2247cc1aa9d
sigma-rules/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml
T
Ruben Groenewoud 207d94e51c [New Rule] Potential Sudo Token Manipulation via Process Injection (#2984) 
* [New Rule] Sudo Token Access via Process Injection

* [New Rule] Sudo Token Manipulation via Proc Inject

* Update rules/linux/privilege_escalation_sudo_token_via_process_injection.toml

* Update privilege_escalation_sudo_token_via_process_injection.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
2023-08-03 15:58:25 +02:00

64 lines
2.4 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/07/31"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/31"
[rule]
author = ["Elastic"]
description = """
This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a
debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token
manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by
attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence
of a living process that has a valid sudo token with the same uid as the current user.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Sudo Token Manipulation via Process Injection"
references = ["https://github.com/nongiach/sudo_inject"]
risk_score = 47
rule_id = "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
type = "eql"
query = '''
sequence by host.id, process.session_leader.entity_id with maxspan=15s
[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
process.name == "gdb" and process.user.id != "0" and process.group.id != "0" ]
[ process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and
process.name == "sudo" and process.user.id == "0" and process.group.id == "0" ]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1055"
name = "Process Injection"
reference = "https://attack.mitre.org/techniques/T1055/"
[[rule.threat.technique.subtechnique]]
id = "T1055.008"
name = "Ptrace System Calls"
reference = "https://attack.mitre.org/techniques/T1055/008/"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.003"
name = "Sudo and Sudo Caching"
reference = "https://attack.mitre.org/techniques/T1548/003/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
Reference in New Issue View Git Blame Copy Permalink