/
privilege_escalation_sudo_buffer_overflow.toml
69 lines (61 loc) · 2.12 KB
/
privilege_escalation_sudo_buffer_overflow.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
[metadata]
creation_date = "2021/02/03"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems
(CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.
"""
false_positives = [
"""
This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom
scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are
affected; if those versions are not present on the endpoint, this could be a false positive.
""",
]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Sudo Heap-Based Buffer Overflow Attempt"
references = [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156",
"https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit",
"https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw",
"https://www.sudo.ws/alerts/unescape_overflow.html",
]
risk_score = 73
rule_id = "f37f3054-d40b-49ac-aa9b-a786c74c58b8"
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Linux",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Use Case: Vulnerability",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.category:process and event.type:start and
process.name:(sudo or sudoedit) and
process.args:(*\\ and ("-i" or "-s"))
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1068"
name = "Exploitation for Privilege Escalation"
reference = "https://attack.mitre.org/techniques/T1068/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[rule.threshold]
field = ["host.hostname"]
value = 100