/
linux_sudoers_tmp_file_creation.yml
64 lines (64 loc) · 2.54 KB
/
linux_sudoers_tmp_file_creation.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
name: Linux Sudoers Tmp File Creation
id: be254a5c-63e7-11ec-89da-acde48001122
version: 1
date: '2021-12-23'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: This analytic is to looks for file creation of sudoers.tmp file cause
by editing /etc/sudoers using visudo or editor in linux platform. This technique
may abuse by adversaries, malware author and red teamers to gain elevated privilege
to targeted or compromised host. /etc/sudoers file controls who can run what commands
as what users on what machines and can also control special things such as whether
you need a password for particular commands. The file is composed of aliases (basically
variables) and user specifications (which control who can run what).
data_source:
- Sysmon for Linux EventID 11
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*sudoers.tmp*")
by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path
| `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)`
| `linux_sudoers_tmp_file_creation_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting
logs with the process name, parent process, and command-line executions from your
endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from
Splunkbase.
known_false_positives: administrator or network operator can execute this command.
Please update the filter macros to remove false positives.
references:
- https://forum.ubuntuusers.de/topic/sudo-visudo-gibt-etc-sudoers-tmp/
tags:
analytic_story:
- Linux Privilege Escalation
- Linux Persistence Techniques
asset_type: Endpoint
confidence: 90
impact: 80
message: A file $file_name$ is created in $file_path$ on $dest$
mitre_attack_id:
- T1548.003
- T1548
observable:
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Filesystem.dest
- Filesystem.file_create_time
- Filesystem.file_name
- Filesystem.process_guid
- Filesystem.file_path
risk_score: 72
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.003/sudoers_temp/sysmon_linux.log
source: Syslog:Linux-Sysmon/Operational
sourcetype: sysmon_linux