Potential Defense Evasion via Doas

  1[metadata]
  2creation_date = "2024/08/28"
  3integration = ["endpoint", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
  6min_stack_version = "8.13.0"
  7updated_date = "2025/01/15"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12This rule detects the creation or rename of the Doas configuration file on a Linux system. Adversaries may create
 13or modify the Doas configuration file to elevate privileges and execute commands as other users while attempting to
 14evade detection.
 15"""
 16from = "now-9m"
 17index = ["logs-endpoint.events.file*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Potential Defense Evasion via Doas"
 21references = ["https://wiki.archlinux.org/title/Doas"]
 22risk_score = 21
 23rule_id = "26a726d7-126e-4267-b43d-e9a70bfdee1e"
 24setup = """## Setup
 25
 26This rule requires data coming in from Elastic Defend.
 27
 28### Elastic Defend Integration Setup
 29Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 30
 31#### Prerequisite Requirements:
 32- Fleet is required for Elastic Defend.
 33- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 34
 35#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 36- Go to the Kibana home page and click "Add integrations".
 37- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 38- Click "Add Elastic Defend".
 39- Configure the integration name and optionally add a description.
 40- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 41- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 42- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 43- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 44For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 45- Click "Save and Continue".
 46- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 47For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 48"""
 49severity = "low"
 50tags = [
 51    "Domain: Endpoint",
 52    "OS: Linux",
 53    "Use Case: Threat Detection",
 54    "Tactic: Defense Evasion",
 55    "Data Source: Elastic Defend",
 56    "Data Source: Elastic Endgame",
 57    "Data Source: SentinelOne",
 58    "Resources: Investigation Guide",
 59]
 60timestamp_override = "event.ingested"
 61type = "eql"
 62query = '''
 63file where host.os.type == "linux" and event.type != "deletion" and file.path == "/etc/doas.conf"
 64'''
 65note = """## Triage and analysis
 66
 67> **Disclaimer**:
 68> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 69
 70### Investigating Potential Defense Evasion via Doas
 71
 72Doas is a command-line utility on Linux systems that allows users to execute commands as another user, typically with elevated privileges. Adversaries may exploit this by altering the Doas configuration file to gain unauthorized access or escalate privileges, bypassing security measures. The detection rule identifies suspicious activities by monitoring changes to the Doas configuration file, signaling potential misuse aimed at evading defenses.
 73
 74### Possible investigation steps
 75
 76- Review the alert details to confirm the file path involved is "/etc/doas.conf" and the event type is not "deletion", as specified in the query.
 77- Check the timestamp of the alert to determine when the configuration file was created or modified, and correlate this with any known scheduled changes or maintenance activities.
 78- Investigate the user account associated with the event to determine if they have legitimate reasons to modify the Doas configuration file, and verify their access permissions.
 79- Examine system logs and command history around the time of the alert to identify any suspicious activities or commands executed by the user.
 80- Assess the current Doas configuration file for unauthorized changes or entries that could indicate privilege escalation attempts.
 81- Cross-reference the alert with other security events or alerts from the same host to identify potential patterns or related activities that could suggest a broader attack.
 82
 83### False positive analysis
 84
 85- Routine administrative updates to the Doas configuration file can trigger alerts. To manage this, create exceptions for known maintenance windows or specific user accounts responsible for legitimate updates.
 86- Automated configuration management tools may modify the Doas configuration file as part of their normal operation. Identify these tools and exclude their activities from triggering alerts by specifying their process names or user accounts.
 87- System backups or restoration processes might involve creating or renaming the Doas configuration file. Exclude these processes by identifying the backup software and adding it to the exception list.
 88- Development or testing environments where frequent changes to the Doas configuration file are expected can generate false positives. Consider excluding these environments from monitoring or adjusting the rule to account for their unique activity patterns.
 89
 90### Response and remediation
 91
 92- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
 93- Review and revert any unauthorized changes to the Doas configuration file located at /etc/doas.conf to its last known good state.
 94- Conduct a thorough audit of user accounts and permissions on the affected system to identify and remove any unauthorized accounts or privilege escalations.
 95- Implement additional monitoring on the affected system to detect any further attempts to modify the Doas configuration file or other critical system files.
 96- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat has spread to other systems.
 97- Apply patches and updates to the affected system to address any vulnerabilities that may have been exploited by the adversary.
 98- Review and enhance access controls and authentication mechanisms to prevent unauthorized privilege escalation attempts in the future."""
 99
100[[rule.threat]]
101framework = "MITRE ATT&CK"
102
103[[rule.threat.technique]]
104id = "T1548"
105name = "Abuse Elevation Control Mechanism"
106reference = "https://attack.mitre.org/techniques/T1548/"
107
108[[rule.threat.technique.subtechnique]]
109id = "T1548.003"
110name = "Sudo and Sudo Caching"
111reference = "https://attack.mitre.org/techniques/T1548/003/"
112
113[rule.threat.tactic]
114id = "TA0005"
115name = "Defense Evasion"
116reference = "https://attack.mitre.org/tactics/TA0005/"