Linux Doas Tool Execution

Oct 23, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1548 ·

Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.

Sigma rule (View on GitHub)

 1title: Linux Doas Tool Execution
 2id: 067d8238-7127-451c-a9ec-fa78045b618b
 3status: stable
 4description: Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
 5references:
 6    - https://research.splunk.com/endpoint/linux_doas_tool_execution/
 7    - https://www.makeuseof.com/how-to-install-and-use-doas/
 8author: Sittikorn S, Teoderick Contreras
 9date: 2022-01-20
10tags:
11    - attack.defense-evasion
12    - attack.privilege-escalation
13    - attack.t1548
14logsource:
15    product: linux
16    category: process_creation
17detection:
18    selection:
19        Image|endswith: '/doas'
20    condition: selection
21falsepositives:
22    - Unlikely
23level: low

References

https://research.splunk.com/endpoint/linux_doas_tool_execution/

Read More
How to Install and Use doas: A Minimalistic Alternative to sudo

Want a better replacement for the default sudo command? You're in luck. Here's how to install and set up the doas utility on Linux.

Read More

Linux Doas Tool Execution

Sigma rule (View on GitHub)

References

https://research.splunk.com/endpoint/linux_doas_tool_execution/

How to Install and Use doas: A Minimalistic Alternative to sudo

Related rules