Linux Doas Conf File Creation

Aug 12, 2024 · attack.privilege-escalation attack.t1548 ·

Detects the creation of doas.conf file in linux host platform.

Sigma rule (View on GitHub)

 1title: Linux Doas Conf File Creation
 2id: 00eee2a5-fdb0-4746-a21d-e43fbdea5681
 3status: stable
 4description: Detects the creation of doas.conf file in linux host platform.
 5references:
 6    - https://research.splunk.com/endpoint/linux_doas_conf_file_creation/
 7    - https://www.makeuseof.com/how-to-install-and-use-doas/
 8author: Sittikorn S, Teoderick Contreras
 9date: 2022-01-20
10modified: 2022-12-31
11tags:
12    - attack.privilege-escalation
13    - attack.t1548
14logsource:
15    product: linux
16    category: file_event
17detection:
18    selection:
19        TargetFilename|endswith: '/etc/doas.conf'
20    condition: selection
21falsepositives:
22    - Unlikely
23level: medium

References

https://research.splunk.com/endpoint/linux_doas_conf_file_creation/

Read More
How to Install and Use doas: A Minimalistic Alternative to sudo

Want a better replacement for the default sudo command? You're in luck. Here's how to install and set up the doas utility on Linux.

Read More

Linux Doas Conf File Creation

Sigma rule (View on GitHub)

References

https://research.splunk.com/endpoint/linux_doas_conf_file_creation/

How to Install and Use doas: A Minimalistic Alternative to sudo

Related rules