sigma-rules/rules/linux/privilege_escalation_sudo_hijacking.toml

[metadata]
creation_date = "2023/07/26"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/26"

[rule]
author = ["Elastic"]
description = """
Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and 
replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or 
enable persistence onto the system every time the sudo binary is executed.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Sudo Hijacking Detected"
references = ["https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/"]
risk_score = 47
rule_id = "88fdcb8c-60e5-46ee-9206-2663adf1b1ce"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where event.type in ("creation", "file_create_event") and file.path == "/usr/bin/sudo"
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"

[[rule.threat.technique.subtechnique]]
id = "T1548.003"
name = "Sudo and Sudo Caching"
reference = "https://attack.mitre.org/techniques/T1548/003/"

[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1574"
name = "Hijack Execution Flow"
reference = "https://attack.mitre.org/techniques/T1574/"

[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"