security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8ca32f14237da3aef0f2fae5437c5b4e8335c977
sigma-rules/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml
T
Derek Ditch 580db2c13e Add timeline_id to detection rules (#95) 
* Adds timeline_id to all network rules
- Uses the ID for the 'Generic Network Timeline' from Elastic
* Adds timeline_id to all endpoint rules
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
* Adds timeline_id to all process-oriented rules
    - Uses the ID for the 'Generic Process Timeline' from Elastic
* Ran tests and toml-lint
* Bumped 'updated_date'
2020-10-27 13:34:16 -05:00

60 lines
1.7 KiB
TOML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
[metadata]
creation_date = "2020/04/23"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/10/27"
[rule]
author = ["Elastic"]
description = """
An adversary may add the setuid bit to a file or directory in order to run a file with the privileges of the owning
user. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application
with the setuid bit to get code running in a different users context. Additionally, adversaries can use this mechanism
on their own malware to make sure they're able to execute in elevated contexts in the future.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "lucene"
license = "Elastic License"
max_signals = 33
name = "Setuid Bit Set via chmod"
risk_score = 21
rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
type = "query"
query = '''
event.category:process AND event.type:(start or process_started) AND process.name:chmod AND
process.args:(u+s OR /4[0-9]{3}/) AND
NOT user.name:root
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1166"
name = "Setuid and Setgid"
reference = "https://attack.mitre.org/techniques/T1166/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1166"
name = "Setuid and Setgid"
reference = "https://attack.mitre.org/techniques/T1166/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink