Linux Doas Conf File Creation
Detects the creation of doas.conf file in linux host platform.
Sigma rule (View on GitHub)
1title: Linux Doas Conf File Creation
2id: 00eee2a5-fdb0-4746-a21d-e43fbdea5681
3status: stable
4description: Detects the creation of doas.conf file in linux host platform.
5references:
6 - https://research.splunk.com/endpoint/linux_doas_conf_file_creation/
7 - https://www.makeuseof.com/how-to-install-and-use-doas/
8author: Sittikorn S, Teoderick Contreras
9date: 2022/01/20
10modified: 2022/12/31
11tags:
12 - attack.privilege_escalation
13 - attack.t1548
14logsource:
15 product: linux
16 category: file_event
17detection:
18 selection:
19 TargetFilename|endswith: '/etc/doas.conf'
20 condition: selection
21falsepositives:
22 - Unlikely
23level: medium
References
-
-
Want a better replacement for the default sudo command? You're in luck. Here's how to install and set up the doas utility on Linux.
Read More
Related rules
- Linux Capabilities Discovery
- Linux Doas Tool Execution
- ADCS Certificate Template Configuration Vulnerability
- ADCS Certificate Template Configuration Vulnerability with Risky EKU
- UAC Bypass With Fake DLL