CVE-2021-3156 Exploitation Attempt
Detects exploitation attempt of vulnerability described in CVE-2021-3156. Alternative approach might be to look for flooding of auditd logs due to bruteforcing required to trigger the heap-based buffer overflow.
Sigma rule (View on GitHub)
1title: CVE-2021-3156 Exploitation Attempt
2id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f
3status: unsupported
4description: |
5 Detects exploitation attempt of vulnerability described in CVE-2021-3156.
6 Alternative approach might be to look for flooding of auditd logs due to bruteforcing
7 required to trigger the heap-based buffer overflow.
8references:
9 - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
10author: Bhabesh Raj
11date: 2021/02/01
12modified: 2023/03/24
13tags:
14 - attack.privilege_escalation
15 - attack.t1068
16 - cve.2021.3156
17logsource:
18 product: linux
19 service: auditd
20detection:
21 cmd_base:
22 type: 'EXECVE'
23 a0: '/usr/bin/sudoedit'
24 cmd_s:
25 - a1: '-s'
26 - a2: '-s'
27 - a3: '-s'
28 - a4: '-s'
29 cmd_backslash:
30 - a1: '\'
31 - a2: '\'
32 - a3: '\'
33 - a4: '\'
34 condition: all of cmd_* | count() by host > 50
35falsepositives:
36 - Unknown
37level: high
References
-
Update Feb 3, 2021: It has been reported that macOS, AIX, and Solaris are also vulnerable to CVE-2021-3156, and that others may also still be vulnerable. Qualys has not independently verified the…
Read More
Related rules
- CVE-2021-3156 Exploitation Attempt Bruteforcing
- OMIGOD SCX RunAsProvider ExecuteScript
- Windows Kernel and 3rd-Party Drivers Exploits Token Stealing
- Detection of Possible Rotten Potato
- Disabled Users Failing To Authenticate From Source Using Kerberos