security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
98758bf57ec4f1ae68875775cda07408b71ee514
sigma-rules/rules/linux
T
History
Samirbous b8c3ddc305 [New Rule] Potential Privilege Escalation via PKEXEC (#1727) 
* [New Rule] Potential Privilege Escalation via PKEXEC

Identifies attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user :

* Update privilege_escalation_pkexec_envar_hijack.toml

* removed = sign

(cherry picked from commit b9edc5464e)
2022-01-27 09:43:35 +00:00
..
command_and_control_tunneling_via_earthworm.toml
[New Rule] Potential Protocol Tunneling via EarthWorm (#1094)
2021-04-15 10:17:56 +02:00
credential_access_collection_sensitive_files.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
credential_access_ssh_backdoor_log.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_attempt_to_disable_iptables_or_firewall.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_attempt_to_disable_syslog_service.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_deletion_of_bash_command_line_history.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_disable_selinux_attempt.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_file_deletion_via_shred.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_file_mod_writable_dir.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_hidden_file_dir_tmp.toml
Add min_stack_comments to metadata schema (#1573)
2021-10-19 20:52:53 -08:00
defense_evasion_kernel_module_removal.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
defense_evasion_log_files_deleted.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
discovery_kernel_module_enumeration.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
discovery_virtual_machine_fingerprinting.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_perl_tty_shell.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
execution_python_tty_shell.toml
Revert "[Rule Tuning] Interactive Terminal Spawned via Python - Python3 and bypasses fix (#1649)" (#1731)
2022-01-26 20:43:09 +00:00
initial_access_login_failures.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
initial_access_login_location.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
initial_access_login_sessions.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
initial_access_login_time.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
lateral_movement_telnet_network_activity_external.toml
[Rule Tuning] Update network rule address blocks (#1227)
2021-06-15 09:22:59 -04:00
lateral_movement_telnet_network_activity_internal.toml
[Rule Tuning] Update network rule address blocks (#1227)
2021-06-15 09:22:59 -04:00
linux_hping_activity.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
linux_iodine_activity.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
linux_netcat_network_connection.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
linux_nping_activity.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
linux_process_started_in_temp_directory.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
linux_strace_activity.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_credential_access_modify_ssh_binaries.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_kde_autostart_modification.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
persistence_shell_activity_by_web_server.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
privilege_escalation_ld_preload_shared_object_modif.toml
Refresh ATT&CK mappings to v9.0 (#1401)
2021-08-04 14:16:10 -08:00
privilege_escalation_pkexec_envar_hijack.toml
[New Rule] Potential Privilege Escalation via PKEXEC (#1727)
2022-01-27 09:43:35 +00:00