Linux Doas Tool Execution
Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
Sigma rule (View on GitHub)
1title: Linux Doas Tool Execution
2id: 067d8238-7127-451c-a9ec-fa78045b618b
3status: stable
4description: Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
5references:
6 - https://research.splunk.com/endpoint/linux_doas_tool_execution/
7 - https://www.makeuseof.com/how-to-install-and-use-doas/
8author: Sittikorn S, Teoderick Contreras
9date: 2022/01/20
10tags:
11 - attack.privilege_escalation
12 - attack.t1548
13logsource:
14 product: linux
15 category: process_creation
16detection:
17 selection:
18 Image|endswith: '/doas'
19 condition: selection
20falsepositives:
21 - Unlikely
22level: low
References
-
-
Want a better replacement for the default sudo command? You're in luck. Here's how to install and set up the doas utility on Linux.
Read More