security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
db54ea7467a6750fe2b59fc48375cf14ab3ca2cd
sigma-rules/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml
T
Justin Ibarra 3fc34b86f2 Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00

47 lines
1.3 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/04/13"
maturity = "production"
updated_date = "2021/03/03"
[rule]
author = ["Elastic"]
description = """
A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take
advantage of these configurations to execute commands as other users or spawn processes with higher privileges.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Sudoers File Modification"
risk_score = 47
rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Privilege Escalation"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.003"
name = "Sudo and Sudo Caching"
reference = "https://attack.mitre.org/techniques/T1548/003/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
Reference in New Issue View Git Blame Copy Permalink