Potential Sudo Token Manipulation via Process Injection
This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence of a living process that has a valid sudo token with the same uid as the current user.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/07/31"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/07/31"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a
13debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token
14manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by
15attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence
16of a living process that has a valid sudo token with the same uid as the current user.
17"""
18from = "now-9m"
19index = ["logs-endpoint.events.*"]
20language = "eql"
21license = "Elastic License v2"
22name = "Potential Sudo Token Manipulation via Process Injection"
23references = ["https://github.com/nongiach/sudo_inject"]
24risk_score = 47
25rule_id = "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b"
26severity = "medium"
27tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
28type = "eql"
29query = '''
30sequence by host.id, process.session_leader.entity_id with maxspan=15s
31[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
32 process.name == "gdb" and process.user.id != "0" and process.group.id != "0" ]
33[ process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and
34 process.name == "sudo" and process.user.id == "0" and process.group.id == "0" ]
35'''
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39
40[[rule.threat.technique]]
41id = "T1055"
42name = "Process Injection"
43reference = "https://attack.mitre.org/techniques/T1055/"
44
45[[rule.threat.technique.subtechnique]]
46id = "T1055.008"
47name = "Ptrace System Calls"
48reference = "https://attack.mitre.org/techniques/T1055/008/"
49
50[[rule.threat.technique]]
51id = "T1548"
52name = "Abuse Elevation Control Mechanism"
53reference = "https://attack.mitre.org/techniques/T1548/"
54
55[[rule.threat.technique.subtechnique]]
56id = "T1548.003"
57name = "Sudo and Sudo Caching"
58reference = "https://attack.mitre.org/techniques/T1548/003/"
59
60[rule.threat.tactic]
61id = "TA0004"
62name = "Privilege Escalation"
63reference = "https://attack.mitre.org/tactics/TA0004/"
References
Related rules
- Cron Job Created or Changed by Previously Unknown Process
- Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable
- Kernel Load or Unload via Kexec Detected
- Modification of Dynamic Linker Preload Shared Object
- Namespace Manipulation Using Unshare