SigmaHQ/rules/linux/lnx_shell_priv_esc_prep.yml

65 lines
1.9 KiB
YAML
Raw Normal View History

title: Privilege Escalation Preparation
status: experimental
description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.
references:
- https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
- https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/
author: Patrick Bareiss
date: 2019/04/05
2019-05-09 22:08:26 +00:00
tags:
- attack.privilege_escalation
- attack.t1068
level: medium
logsource:
product: linux
detection:
keywords:
# distribution type and kernel version
- 'cat /etc/issue'
- 'cat /etc/*-release'
- 'cat /proc/version'
- 'uname -a'
- 'uname -mrs'
- 'rpm -q kernel'
- 'dmesg | grep Linux'
- 'ls /boot | grep vmlinuz-'
# environment variables
- 'cat /etc/profile'
- 'cat /etc/bashrc'
- 'cat ~/.bash_profile'
- 'cat ~/.bashrc'
- 'cat ~/.bash_logout'
# applications and services as root
- 'ps -aux | grep root'
- 'ps -ef | grep root'
# scheduled tasks
- 'crontab -l'
- 'cat /etc/cron*'
- 'cat /etc/cron.allow'
- 'cat /etc/cron.deny'
- 'cat /etc/crontab'
# search for plain text user/passwords
- 'grep -i user *'
- 'grep -i pass *'
# networking
- 'ifconfig'
- 'cat /etc/network/interfaces'
- 'cat /etc/sysconfig/network'
- 'cat /etc/resolv.conf'
- 'cat /etc/networks'
- 'iptables -L'
- 'lsof -i'
- 'netstat -antup'
- 'netstat -antpx'
- 'netstat -tulpn'
- 'arp -e'
- 'route'
# sensitive files
- 'cat /etc/passwd'
- 'cat /etc/group'
- 'cat /etc/shadow'
timeframe: 30m
condition: keywords | count() by host > 6
falsepositives:
- Troubleshooting on Linux Machines