Privilege Escalation Preparation

 1title: Privilege Escalation Preparation
 2id: 444ade84-c362-4260-b1f3-e45e20e1a905
 3status: unsupported
 4description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.
 5references:
 6    - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
 7    - https://patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma/
 8    - https://github.com/uber-common/metta/blob/master/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml
 9author: Patrick Bareiss
10date: 2019/04/05
11modified: 2023/03/24
12tags:
13    - attack.execution
14    - attack.t1059.004
15logsource:
16    product: linux
17detection:
18    keywords:
19        # distribution type and kernel version
20        - 'cat /etc/issue'
21        - 'cat /etc/*-release'
22        - 'cat /proc/version'
23        - 'uname -a'
24        - 'uname -mrs'
25        - 'rpm -q kernel'
26        - 'dmesg | grep Linux'
27        - 'ls /boot | grep vmlinuz-'
28        # environment variables
29        - 'cat /etc/profile'
30        - 'cat /etc/bashrc'
31        - 'cat ~/.bash_profile'
32        - 'cat ~/.bashrc'
33        - 'cat ~/.bash_logout'
34        # applications and services as root
35        - 'ps -aux | grep root'
36        - 'ps -ef | grep root'
37        # scheduled tasks
38        - 'crontab -l'
39        - 'cat /etc/cron*'
40        - 'cat /etc/cron.allow'
41        - 'cat /etc/cron.deny'
42        - 'cat /etc/crontab'
43        # search for plain text user/passwords
44        - 'grep -i user *'
45        - 'grep -i pass *'
46        # networking
47        - 'ifconfig'
48        - 'cat /etc/network/interfaces'
49        - 'cat /etc/sysconfig/network'
50        - 'cat /etc/resolv.conf'
51        - 'cat /etc/networks'
52        - 'iptables -L'
53        - 'ip6tables -L'
54        - 'lsof -i'
55        - 'netstat -antup'
56        - 'netstat -antpx'
57        - 'netstat -tulpn'
58        - 'arp -e'
59        - 'route'
60        # sensitive files
61        - 'cat /etc/passwd'
62        - 'cat /etc/group'
63        - 'cat /etc/shadow'
64        # sticky bits
65        - 'find / -perm -u=s'
66        - 'find / -perm -g=s'
67        - 'find / -perm -4000'
68        - 'find / -perm -2000'
69        # world writable files
70        - 'find / -perm -o+w'
71    timeframe: 30m
72    condition: keywords | count() by host > 6
73falsepositives:
74    - Troubleshooting on Linux Machines
75level: medium

References

• Basic Linux Privilege Escalation - g0tmi1k

  Before starting, I would like to point out - I'm no expert. As far as I know, there isn't a

  
  Read More

• Detect Privilege Escalation Preparation in Linux with Sigma - Patrick Bareiss

  

  In this blog post, I will introduce a Sigma detection rule, which detects privilege escalation preparation in Linux. If an adversary has a limited shell and wants to escalate privileges, different information needs to be collected over the machine. This information includes the distribution type, kernel version, environment variables, running root services, applications, cron jobs […]

  
  Read More

• metta/MITRE/Privilege_Escalation/privesc_linux_filesystemweakness.yml at master · uber-common/metta

  

  An information security preparedness tool to do adversarial simulation. - uber-common/metta

  
  Read More

Related rules

• File Creation by Office Applications
• Invoke-Obfuscation CLIP+ Launcher
• Invoke-Obfuscation COMPRESS OBFUSCATION
• Invoke-Obfuscation RUNDLL LAUNCHER
• Invoke-Obfuscation STDIN+ Launcher