security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ae4e59ec7d585445c98fa5945616dd513a68199d
sigma-rules/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml
T
Justin Ibarra 46d5e37b76 min_stack all rules to 8.3 (#2259) 
* min_stack all rules to 8.3

* bump date

Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
2022-08-24 10:38:49 -06:00

62 lines
2.0 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2021/02/03"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/08/24"
[rule]
author = ["Elastic"]
description = """
Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems
(CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.
"""
false_positives = [
"""
This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom
scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are
affected; if those versions are not present on the endpoint, this could be a false positive.
""",
]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Sudo Heap-Based Buffer Overflow Attempt"
references = [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156",
"https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit",
"https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw",
"https://www.sudo.ws/alerts/unescape_overflow.html",
]
risk_score = 73
rule_id = "f37f3054-d40b-49ac-aa9b-a786c74c58b8"
severity = "high"
tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Privilege Escalation"]
type = "threshold"
query = '''
event.category:process and event.type:start and
process.name:(sudo or sudoedit) and
process.args:(*\\ and ("-i" or "-s"))
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1068"
name = "Exploitation for Privilege Escalation"
reference = "https://attack.mitre.org/techniques/T1068/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[rule.threshold]
field = ["host.hostname"]
value = 100
Reference in New Issue View Git Blame Copy Permalink