security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4f55e9b05f044131f6c19f553f2e06fcc7486bf5
sigma-rules/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml
T
Justin Ibarra 0e0b2ea1a4 Update schema for threshold rule type for 7.12 (#976) 
* Update schema for threshold rule type for 7.12
* add downgrade function to drop new fields
* update existing threshold rules
2021-03-05 14:35:50 -09:00

60 lines
1.9 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2021/02/03"
maturity = "production"
updated_date = "2021/03/03"
[rule]
author = ["Elastic"]
description = """
Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems
(CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.
"""
false_positives = [
"""
This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom
scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are
affected; if those versions are not present on the endpoint, this could be a false positive.
""",
]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Sudo Heap-Based Buffer Overflow Attempt"
references = [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156",
"https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit",
"https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw",
"https://www.sudo.ws/alerts/unescape_overflow.html",
]
risk_score = 73
rule_id = "f37f3054-d40b-49ac-aa9b-a786c74c58b8"
severity = "high"
tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Privilege Escalation"]
type = "threshold"
query = '''
event.category:process and event.type:start and
process.name:(sudo or sudoedit) and
process.args:(*\\ and ("-i" or "-s"))
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1068"
name = "Exploitation for Privilege Escalation"
reference = "https://attack.mitre.org/techniques/T1068/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[rule.threshold]
field = ["host.hostname"]
value = 100
Reference in New Issue View Git Blame Copy Permalink