Linux Doas Conf File Creation
Detects the creation of doas.conf file in linux host platform.
Sigma rule (View on GitHub)
1title: Linux Doas Conf File Creation
2id: 00eee2a5-fdb0-4746-a21d-e43fbdea5681
3status: stable
4description: Detects the creation of doas.conf file in linux host platform.
5references:
6 - https://research.splunk.com/endpoint/linux_doas_conf_file_creation/
7 - https://www.makeuseof.com/how-to-install-and-use-doas/
8author: Sittikorn S, Teoderick Contreras
9date: 2022-01-20
10modified: 2022-12-31
11tags:
12 - attack.defense-evasion
13 - attack.privilege-escalation
14 - attack.t1548
15logsource:
16 product: linux
17 category: file_event
18detection:
19 selection:
20 TargetFilename|endswith: '/etc/doas.conf'
21 condition: selection
22falsepositives:
23 - Unlikely
24level: medium
References
-
Want a better replacement for the default sudo command? You're in luck. Here's how to install and set up the doas utility on Linux.
Read More
Related rules
- AWS STS AssumeRole Misuse
- AWS STS GetSessionToken Misuse
- AWS Suspicious SAML Activity
- Abused Debug Privilege by Arbitrary Parent Processes
- CA Policy Removed by Non Approved Actor