Potential Unauthorized Access via Wildcard Injection Detected
This rule monitors for the execution of the "chown" and "chmod" commands with command line flags that could indicate a wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/07/28"
3integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
4maturity = "production"
5min_stack_version = "8.13.0"
6min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
7updated_date = "2025/01/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for the execution of the "chown" and "chmod" commands with command line flags that could indicate a
13wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate
14commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by
15tricking the system into interpreting the wildcard characters in unexpected ways.
16"""
17from = "now-9m"
18index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Potential Unauthorized Access via Wildcard Injection Detected"
22references = ["https://www.exploit-db.com/papers/33930"]
23risk_score = 21
24rule_id = "4a99ac6f-9a54-4ba5-a64f-6eb65695841b"
25setup = """## Setup
26
27This rule requires data coming in from Elastic Defend.
28
29### Elastic Defend Integration Setup
30Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
31
32#### Prerequisite Requirements:
33- Fleet is required for Elastic Defend.
34- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
35
36#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
37- Go to the Kibana home page and click "Add integrations".
38- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
39- Click "Add Elastic Defend".
40- Configure the integration name and optionally add a description.
41- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
42- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
43- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
44- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
45For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
46- Click "Save and Continue".
47- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
48For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
49"""
50severity = "low"
51tags = [
52 "Domain: Endpoint",
53 "OS: Linux",
54 "Use Case: Threat Detection",
55 "Tactic: Privilege Escalation",
56 "Tactic: Credential Access",
57 "Data Source: Elastic Endgame",
58 "Data Source: Elastic Defend",
59 "Data Source: Auditd Manager",
60 "Data Source: Crowdstrike",
61 "Data Source: SentinelOne",
62 "Resources: Investigation Guide",
63]
64timestamp_override = "event.ingested"
65type = "eql"
66
67query = '''
68process where host.os.type == "linux" and event.type == "start" and
69 event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
70 process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*"
71'''
72note = """## Triage and analysis
73
74> **Disclaimer**:
75> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
76
77### Investigating Potential Unauthorized Access via Wildcard Injection Detected
78
79In Linux environments, commands like `chown` and `chmod` are used to change file ownership and permissions. Adversaries may exploit wildcard characters in these commands to escalate privileges or access sensitive data by executing unintended operations. The detection rule identifies suspicious use of these commands with recursive flags and wildcard references, signaling potential misuse aimed at privilege escalation or unauthorized data access.
80
81### Possible investigation steps
82
83- Review the process execution details to confirm the presence of the "chown" or "chmod" command with the "-R" flag and wildcard usage in the arguments, as indicated by the query fields process.name, process.args, and event.action.
84- Examine the user account associated with the process execution to determine if it has the necessary permissions to perform such operations and assess if the account has been compromised.
85- Check the command execution history and related logs to identify any preceding or subsequent suspicious activities that might indicate a broader attack pattern or unauthorized access attempts.
86- Investigate the source and destination of the command execution by analyzing network logs and connections to determine if the activity originated from a known or unknown IP address or host.
87- Correlate this event with other alerts or anomalies in the system to identify potential patterns or coordinated attacks, focusing on privilege escalation or credential access attempts as suggested by the rule's tags and threat information.
88
89### False positive analysis
90
91- Routine administrative tasks using chown or chmod with recursive flags may trigger the rule. To manage this, identify and whitelist specific scripts or users that regularly perform these tasks without security risks.
92- Automated system maintenance processes that involve changing file permissions or ownership across directories can be mistaken for malicious activity. Exclude these processes by specifying their command patterns or associated user accounts in the monitoring system.
93- Backup operations that involve copying and setting permissions on large sets of files might be flagged. To prevent this, configure exceptions for known backup tools or scripts that use these commands in a controlled manner.
94- Development environments where developers frequently change file permissions for testing purposes can generate false positives. Implement user-based exceptions for development teams to reduce unnecessary alerts.
95- System updates or package installations that modify file permissions as part of their normal operation may be detected. Create exceptions for trusted package managers or update processes to avoid false alarms.
96
97### Response and remediation
98
99- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
100- Terminate any suspicious processes identified as running the `chown` or `chmod` commands with wildcard injections to halt potential privilege escalation activities.
101- Conduct a thorough review of system logs and command histories to identify any unauthorized changes made to file permissions or ownership and revert them to their original state.
102- Reset credentials and review access permissions for users on the affected system to ensure no unauthorized access persists.
103- Implement file integrity monitoring to detect unauthorized changes to critical files and directories in the future.
104- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
105- Update and patch the affected system to address any vulnerabilities that may have been exploited during the attack, ensuring all security updates are applied."""
106
107
108[[rule.threat]]
109framework = "MITRE ATT&CK"
110[[rule.threat.technique]]
111id = "T1068"
112name = "Exploitation for Privilege Escalation"
113reference = "https://attack.mitre.org/techniques/T1068/"
114
115
116[rule.threat.tactic]
117id = "TA0004"
118name = "Privilege Escalation"
119reference = "https://attack.mitre.org/tactics/TA0004/"
120[[rule.threat]]
121framework = "MITRE ATT&CK"
122[[rule.threat.technique]]
123id = "T1003"
124name = "OS Credential Dumping"
125reference = "https://attack.mitre.org/techniques/T1003/"
126[[rule.threat.technique.subtechnique]]
127id = "T1003.008"
128name = "/etc/passwd and /etc/shadow"
129reference = "https://attack.mitre.org/techniques/T1003/008/"
130
131
132
133[rule.threat.tactic]
134id = "TA0006"
135name = "Credential Access"
136reference = "https://attack.mitre.org/tactics/TA0006/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Potential Unauthorized Access via Wildcard Injection Detected
In Linux environments, commands like chown
and chmod
are used to change file ownership and permissions. Adversaries may exploit wildcard characters in these commands to escalate privileges or access sensitive data by executing unintended operations. The detection rule identifies suspicious use of these commands with recursive flags and wildcard references, signaling potential misuse aimed at privilege escalation or unauthorized data access.
Possible investigation steps
- Review the process execution details to confirm the presence of the "chown" or "chmod" command with the "-R" flag and wildcard usage in the arguments, as indicated by the query fields process.name, process.args, and event.action.
- Examine the user account associated with the process execution to determine if it has the necessary permissions to perform such operations and assess if the account has been compromised.
- Check the command execution history and related logs to identify any preceding or subsequent suspicious activities that might indicate a broader attack pattern or unauthorized access attempts.
- Investigate the source and destination of the command execution by analyzing network logs and connections to determine if the activity originated from a known or unknown IP address or host.
- Correlate this event with other alerts or anomalies in the system to identify potential patterns or coordinated attacks, focusing on privilege escalation or credential access attempts as suggested by the rule's tags and threat information.
False positive analysis
- Routine administrative tasks using chown or chmod with recursive flags may trigger the rule. To manage this, identify and whitelist specific scripts or users that regularly perform these tasks without security risks.
- Automated system maintenance processes that involve changing file permissions or ownership across directories can be mistaken for malicious activity. Exclude these processes by specifying their command patterns or associated user accounts in the monitoring system.
- Backup operations that involve copying and setting permissions on large sets of files might be flagged. To prevent this, configure exceptions for known backup tools or scripts that use these commands in a controlled manner.
- Development environments where developers frequently change file permissions for testing purposes can generate false positives. Implement user-based exceptions for development teams to reduce unnecessary alerts.
- System updates or package installations that modify file permissions as part of their normal operation may be detected. Create exceptions for trusted package managers or update processes to avoid false alarms.
Response and remediation
- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
- Terminate any suspicious processes identified as running the
chown
orchmod
commands with wildcard injections to halt potential privilege escalation activities. - Conduct a thorough review of system logs and command histories to identify any unauthorized changes made to file permissions or ownership and revert them to their original state.
- Reset credentials and review access permissions for users on the affected system to ensure no unauthorized access persists.
- Implement file integrity monitoring to detect unauthorized changes to critical files and directories in the future.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
- Update and patch the affected system to address any vulnerabilities that may have been exploited during the attack, ensuring all security updates are applied.
References
Related rules
- Kernel Load or Unload via Kexec Detected
- Linux Process Hooking via GDB
- Potential Sudo Privilege Escalation via CVE-2019-14287
- Base16 or Base32 Encoding/Decoding Activity
- ESXI Timestomping using Touch Command