Nimbuspwn Exploitation
Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)
Sigma rule (View on GitHub)
1title: Nimbuspwn Exploitation
2id: 7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8
3status: test
4description: Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)
5references:
6 - https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/
7 - https://github.com/Immersive-Labs-Sec/nimbuspwn
8author: Bhabesh Raj
9date: 2022/05/04
10modified: 2023/01/23
11tags:
12 - attack.privilege_escalation
13 - attack.t1068
14logsource:
15 product: linux
16detection:
17 keywords:
18 '|all':
19 - 'networkd-dispatcher'
20 - 'Error handling notification for interface'
21 - '../../'
22 condition: keywords
23falsepositives:
24 - Unknown
25level: high
References
Related rules
- Suspicious Sysmon as Execution Parent
- InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
- OMIGOD HTTP No Authentication RCE
- Potential CVE-2021-41379 Exploitation Attempt
- Audit CVE Event