Sudo Command Enumeration Detected

 1[metadata]
 2creation_date = "2023/08/30"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/08/30"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for 
13the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions,
14potentially allowing to escalate privileges to root. 
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Sudo Command Enumeration Detected"
21risk_score = 21
22rule_id = "28d39238-0c01-420a-b77a-24e5a7378663"
23severity = "low"
24tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
25timestamp_override = "event.ingested"
26type = "eql"
27query = '''
28process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
29process.name == "sudo" and process.args == "-l" and process.args_count == 2 and
30process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and 
31not group.Ext.real.id : "0" and not user.Ext.real.id : "0"
32'''
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36
37[[rule.threat.technique]]
38id = "T1033"
39name = "System Owner/User Discovery"
40reference = "https://attack.mitre.org/techniques/T1033/"
41
42[rule.threat.tactic]
43id = "TA0007"
44name = "Discovery"
45reference = "https://attack.mitre.org/tactics/TA0007/"