SigmaHQ/rules/linux/lnx_sudo_cve_2019_14287.yml

---
action: global
title: Sudo Privilege Escalation CVE-2019-14287
status: experimental
description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
references:
    - https://www.openwall.com/lists/oss-security/2019/10/14/1
    - https://access.redhat.com/security/cve/cve-2019-14287
    - https://twitter.com/matthieugarin/status/1183970598210412546
author: Florian Roth
date: 2019/10/15
tags:
    - attack.privilege_escalation
    - attack.t1068
    - attack.t1169
logsource:
    product: linux
falsepositives:
    - Unlikely
level: critical
---
detection:
    selection_keywords:
        - '* -u#-1*'
        - '* -u#4294967295*'
    condition: selection_keywords
--- 
detection:
    selection_user:
        USER:
            - '#-1'
            - '#4294967295'
    condition: selection_user