Potential Sudo Hijacking Detected
Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/07/26"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/07/26"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and
13replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or
14enable persistence onto the system every time the sudo binary is executed.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Sudo Hijacking Detected"
21references = ["https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/"]
22risk_score = 47
23rule_id = "88fdcb8c-60e5-46ee-9206-2663adf1b1ce"
24severity = "medium"
25tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
26timestamp_override = "event.ingested"
27type = "eql"
28query = '''
29file where event.type in ("creation", "file_create_event") and file.path == "/usr/bin/sudo"
30'''
31
32[[rule.threat]]
33framework = "MITRE ATT&CK"
34
35[[rule.threat.technique]]
36id = "T1548"
37name = "Abuse Elevation Control Mechanism"
38reference = "https://attack.mitre.org/techniques/T1548/"
39
40[[rule.threat.technique.subtechnique]]
41id = "T1548.003"
42name = "Sudo and Sudo Caching"
43reference = "https://attack.mitre.org/techniques/T1548/003/"
44
45[rule.threat.tactic]
46id = "TA0004"
47name = "Privilege Escalation"
48reference = "https://attack.mitre.org/tactics/TA0004/"
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52
53[[rule.threat.technique]]
54id = "T1574"
55name = "Hijack Execution Flow"
56reference = "https://attack.mitre.org/techniques/T1574/"
57
58[rule.threat.tactic]
59id = "TA0003"
60name = "Persistence"
61reference = "https://attack.mitre.org/tactics/TA0003/"
References
-
Sudo Hijacking 17 Aug 2020 History Back in the early 2000’s, when us poor hackers didn’t have GPU’s to crack with, we had to get creative to acquire plain text passwords. A common technique, at lea...
Read More
Related rules
- Cron Job Created or Changed by Previously Unknown Process
- New Systemd Service Created by Previously Unknown Process
- Chkconfig Service Add
- Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable
- Kernel Load or Unload via Kexec Detected