SigmaHQ/rules/linux/lnx_shell_priv_esc_prep.yml

71 lines
2.1 KiB
YAML
Raw Normal View History

2019-11-12 22:12:27 +00:00
title: Privilege Escalation Preparation
id: 444ade84-c362-4260-b1f3-e45e20e1a905
status: experimental
description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.
2020-09-14 04:03:04 +00:00
author: Patrick Bareiss
date: 2019/04/05
references:
- https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
- https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/
logsource:
product: linux
detection:
keywords:
# distribution type and kernel version
- 'cat /etc/issue'
- 'cat /etc/*-release'
- 'cat /proc/version'
- 'uname -a'
- 'uname -mrs'
- 'rpm -q kernel'
- 'dmesg | grep Linux'
- 'ls /boot | grep vmlinuz-'
# environment variables
- 'cat /etc/profile'
- 'cat /etc/bashrc'
- 'cat ~/.bash_profile'
- 'cat ~/.bashrc'
- 'cat ~/.bash_logout'
# applications and services as root
- 'ps -aux | grep root'
- 'ps -ef | grep root'
# scheduled tasks
- 'crontab -l'
- 'cat /etc/cron*'
- 'cat /etc/cron.allow'
- 'cat /etc/cron.deny'
- 'cat /etc/crontab'
# search for plain text user/passwords
- 'grep -i user *'
- 'grep -i pass *'
# networking
- 'ifconfig'
- 'cat /etc/network/interfaces'
- 'cat /etc/sysconfig/network'
- 'cat /etc/resolv.conf'
- 'cat /etc/networks'
- 'iptables -L'
- 'lsof -i'
- 'netstat -antup'
- 'netstat -antpx'
- 'netstat -tulpn'
- 'arp -e'
- 'route'
# sensitive files
- 'cat /etc/passwd'
- 'cat /etc/group'
- 'cat /etc/shadow'
# sticky bits
- 'find / -perm -u=s'
- 'find / -perm -g=s'
- 'find / -perm -4000'
2019-09-06 15:29:42 +00:00
- 'find / -perm -2000'
timeframe: 30m
condition: keywords | count() by host > 6
falsepositives:
- Troubleshooting on Linux Machines
2020-09-14 04:03:04 +00:00
level: medium
tags:
- attack.execution
- attack.t1059.004