Potential Buffer Overflow Attack Detected

calendar May 22, 2024 · Domain: Endpoint OS: Linux Use Case: Threat Detection Tactic: Privilege Escalation Tactic: Initial Access Use Case: Vulnerability Rule Type: Higher-Order Rule  ·
Share on: linkedin copy

Detects potential buffer overflow attacks by querying the "Segfault Detected" pre-built rule signal index, through a threshold rule, with a minimum number of 100 segfault alerts in a short timespan. A large amount of segfaults in a short time interval could indicate application exploitation attempts.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/12/11"
 3maturity = "production"
 4updated_date = "2024/05/21"
 5
 6[rule]
 7author = ["Elastic"]
 8description = """
 9Detects potential buffer overflow attacks by querying the "Segfault Detected" pre-built rule signal index, through a
10threshold rule, with a minimum number of 100 segfault alerts in a short timespan. A large amount of segfaults in a short
11time interval could indicate application exploitation attempts.
12"""
13from = "now-9m"
14index = [".alerts-security.*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "Potential Buffer Overflow Attack Detected"
18risk_score = 21
19rule_id = "b7c05aaf-78c2-4558-b069-87fa25973489"
20setup = """## Setup
21
22
23This rule leverages alert data from other prebuilt detection rules to function correctly. 
24
25### Dependent Elastic Detection Rule Enablement
26As a higher-order rule (based on other detections), this rule also requires the following prerequisite Elastic detection rule to be installed and enabled:
27- Segfault Detected (5c81fc9d-1eae-437f-ba07-268472967013)
28"""
29severity = "low"
30tags = [
31    "Domain: Endpoint",
32    "OS: Linux",
33    "Use Case: Threat Detection",
34    "Tactic: Privilege Escalation",
35    "Tactic: Initial Access",
36    "Use Case: Vulnerability",
37    "Rule Type: Higher-Order Rule",
38]
39timestamp_override = "event.ingested"
40type = "threshold"
41
42query = '''
43kibana.alert.rule.rule_id:"5c81fc9d-1eae-437f-ba07-268472967013" and host.os.type:linux and event.kind:signal
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1068"
51name = "Exploitation for Privilege Escalation"
52reference = "https://attack.mitre.org/techniques/T1068/"
53
54
55[rule.threat.tactic]
56id = "TA0004"
57name = "Privilege Escalation"
58reference = "https://attack.mitre.org/tactics/TA0004/"
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1190"
63name = "Exploit Public-Facing Application"
64reference = "https://attack.mitre.org/techniques/T1190/"
65
66
67[rule.threat.tactic]
68id = "TA0001"
69name = "Initial Access"
70reference = "https://attack.mitre.org/tactics/TA0001/"
71
72[rule.threshold]
73field = ["event.kind", "host.id"]
74value = 100

Related rules

to-top