CVE-2021-3156 Exploitation Attempt Bruteforcing
Detects exploitation attempt of vulnerability described in CVE-2021-3156. Alternative approach might be to look for flooding of auditd logs due to bruteforcing. required to trigger the heap-based buffer overflow.
Sigma rule (View on GitHub)
1title: CVE-2021-3156 Exploitation Attempt Bruteforcing
2id: b9748c98-9ea7-4fdb-80b6-29bed6ba71d2
3related:
4 - id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f
5 type: derived
6status: unsupported
7description: |
8 Detects exploitation attempt of vulnerability described in CVE-2021-3156.
9 Alternative approach might be to look for flooding of auditd logs due to bruteforcing.
10 required to trigger the heap-based buffer overflow.
11references:
12 - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
13author: Bhabesh Raj
14date: 2021/02/01
15modified: 2023/03/24
16tags:
17 - attack.privilege_escalation
18 - attack.t1068
19 - cve.2021.3156
20logsource:
21 product: linux
22 service: auditd
23detection:
24 selection:
25 type: 'SYSCALL'
26 exe: '/usr/bin/sudoedit'
27 condition: selection | count() by host > 50
28falsepositives:
29 - Unknown
30level: high
References
Related rules
- CVE-2021-3156 Exploitation Attempt
- OMIGOD SCX RunAsProvider ExecuteScript
- Windows Kernel and 3rd-Party Drivers Exploits Token Stealing
- Buffer Overflow Attempts
- Possible Coin Miner CPU Priority Param