Merge branch 'P4T12ICK-feature/lnx-priv-esc-prep'

2024-11-08 02:08:54 +00:00 · 2019-05-10 00:08:48 +02:00 · 2019-05-10 00:08:48 +02:00 · c50119b913
commit c50119b913
parent 27199fc231 46c789105b
1 changed files with 64 additions and 0 deletions
--- a/rules/linux/lnx_shell_priv_esc_prep.yml
+++ b/rules/linux/lnx_shell_priv_esc_prep.yml
@ -0,0 +1,64 @@
+title: Privilege Escalation Preparation 
+status: experimental
+description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.
+references:
+    - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
+    - https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/
+author: Patrick Bareiss
+date: 2019/04/05
+tags:
+    - attack.privilege_escalation
+    - attack.t1068
+level: medium
+logsource:
+    product: linux
+detection:
+    keywords:
+        # distribution type and kernel version
+        - 'cat /etc/issue'
+        - 'cat /etc/*-release'
+        - 'cat /proc/version'
+        - 'uname -a'
+        - 'uname -mrs'
+        - 'rpm -q kernel'
+        - 'dmesg | grep Linux'
+        - 'ls /boot | grep vmlinuz-'
+        # environment variables
+        - 'cat /etc/profile'
+        - 'cat /etc/bashrc'
+        - 'cat ~/.bash_profile'
+        - 'cat ~/.bashrc'
+        - 'cat ~/.bash_logout'
+        # applications and services as root
+        - 'ps -aux | grep root'
+        - 'ps -ef | grep root'
+        # scheduled tasks
+        - 'crontab -l'
+        - 'cat /etc/cron*'
+        - 'cat /etc/cron.allow'
+        - 'cat /etc/cron.deny'
+        - 'cat /etc/crontab'
+        # search for plain text user/passwords
+        - 'grep -i user *'
+        - 'grep -i pass *'
+        # networking
+        - 'ifconfig'
+        - 'cat /etc/network/interfaces'
+        - 'cat /etc/sysconfig/network'
+        - 'cat /etc/resolv.conf'
+        - 'cat /etc/networks'
+        - 'iptables -L'
+        - 'lsof -i'
+        - 'netstat -antup'
+        - 'netstat -antpx'
+        - 'netstat -tulpn'
+        - 'arp -e'
+        - 'route'
+        # sensitive files
+        - 'cat /etc/passwd'
+        - 'cat /etc/group'
+        - 'cat /etc/shadow'
+    timeframe: 30m
+    condition: keywords | count() by host > 6
+falsepositives:
+    - Troubleshooting on Linux Machines