Skip to content

Commit

Permalink
This is a proposal for a PrivEsc detection rule
Browse files Browse the repository at this point in the history
The idea is to detect in the auditd logs the execution of the find command (for example, $find -perm -u=ws ...) looking for binaries or scripts that can be executed with elevated privileges.
  • Loading branch information
mlakri authored Nov 4, 2024
1 parent 4f4ef7a commit 4515805
Showing 1 changed file with 25 additions and 0 deletions.
25 changes: 25 additions & 0 deletions rules/linux/auditd/lnx_auditd_enum_binaries_suid.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
title: SUID OR SGID Binary Enumeration Attempt
id: c0efa226-6f55-4232-8570-60265f37a108
status: test
description: Detect attempts to enumerate binaries with the Special Permissions for privilege escalation.
references:
- https://www.baeldung.com/linux/permission-search-find-locate-suid-sgid
- https://tbhaxor.com/exploiting-suid-binaries-to-get-root-user-shell/
author: 'Mohamed LAKRI'
date: 2024-11-04
tags:
- attack.privilege-escalation
- attack.T1548
logsource:
product: linux
service: auditd
detection:
selection:
type: EXECVE
a0: find
a1: '-perm'
condition: selection
falsepositives:
- Sysadmin Activity
level: low

0 comments on commit 4515805

Please sign in to comment.