Linux Doas Tool Execution

Aug 12, 2024 · attack.privilege-escalation attack.t1548 ·

Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.

Sigma rule (View on GitHub)

 1title: Linux Doas Tool Execution
 2id: 067d8238-7127-451c-a9ec-fa78045b618b
 3status: stable
 4description: Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
 5references:
 6    - https://research.splunk.com/endpoint/linux_doas_tool_execution/
 7    - https://www.makeuseof.com/how-to-install-and-use-doas/
 8author: Sittikorn S, Teoderick Contreras
 9date: 2022-01-20
10tags:
11    - attack.privilege-escalation
12    - attack.t1548
13logsource:
14    product: linux
15    category: process_creation
16detection:
17    selection:
18        Image|endswith: '/doas'
19    condition: selection
20falsepositives:
21    - Unlikely
22level: low

References

https://research.splunk.com/endpoint/linux_doas_tool_execution/

Read More
How to Install and Use doas: A Minimalistic Alternative to sudo

Want a better replacement for the default sudo command? You're in luck. Here's how to install and set up the doas utility on Linux.

Read More

Linux Doas Tool Execution

Sigma rule (View on GitHub)

References

https://research.splunk.com/endpoint/linux_doas_tool_execution/

How to Install and Use doas: A Minimalistic Alternative to sudo

Related rules