sigma-rules/rules/linux/discovery_sudo_allowed_command_enumeration.toml

[metadata]
creation_date = "2023/07/20"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/24"

[rule]
author = ["Elastic"]
description = """
This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for 
the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions,
potentially allowing to escalate privileges to root. 
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Sudo Command Enumeration Detected"
risk_score = 21
rule_id = "28d39238-0c01-420a-b77a-24e5a7378663"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
process.name == "sudo" and process.args == "-l" and 
process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and 
not group.Ext.real.id : "0" and not user.Ext.real.id : "0"
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1033"
name = "System Owner/User Discovery"
reference = "https://attack.mitre.org/techniques/T1033/"

[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"