SigmaHQ/rules/linux/lnx_shell_priv_esc_prep.yml

title: Privilege Escalation Preparation
id: 444ade84-c362-4260-b1f3-e45e20e1a905
status: experimental
description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.
author: Patrick Bareiss
date: 2019/04/05
references:
    - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
    - https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/
logsource:
    product: linux
detection:
    keywords:
        # distribution type and kernel version
        - 'cat /etc/issue'
        - 'cat /etc/*-release'
        - 'cat /proc/version'
        - 'uname -a'
        - 'uname -mrs'
        - 'rpm -q kernel'
        - 'dmesg | grep Linux'
        - 'ls /boot | grep vmlinuz-'
        # environment variables
        - 'cat /etc/profile'
        - 'cat /etc/bashrc'
        - 'cat ~/.bash_profile'
        - 'cat ~/.bashrc'
        - 'cat ~/.bash_logout'
        # applications and services as root
        - 'ps -aux | grep root'
        - 'ps -ef | grep root'
        # scheduled tasks
        - 'crontab -l'
        - 'cat /etc/cron*'
        - 'cat /etc/cron.allow'
        - 'cat /etc/cron.deny'
        - 'cat /etc/crontab'
        # search for plain text user/passwords
        - 'grep -i user *'
        - 'grep -i pass *'
        # networking
        - 'ifconfig'
        - 'cat /etc/network/interfaces'
        - 'cat /etc/sysconfig/network'
        - 'cat /etc/resolv.conf'
        - 'cat /etc/networks'
        - 'iptables -L'
        - 'lsof -i'
        - 'netstat -antup'
        - 'netstat -antpx'
        - 'netstat -tulpn'
        - 'arp -e'
        - 'route'
        # sensitive files
        - 'cat /etc/passwd'
        - 'cat /etc/group'
        - 'cat /etc/shadow'
        # sticky bits
        - 'find / -perm -u=s'
        - 'find / -perm -g=s'
        - 'find / -perm -4000'
        - 'find / -perm -2000'
    timeframe: 30m
    condition: keywords | count() by host > 6
falsepositives:
    - Troubleshooting on Linux Machines
level: medium
tags:
    - attack.execution
    - attack.t1059.004