[New Rule] SUID/SGUID Enumeration Detected (#2956)

Aegrah · github-actions[bot] · commit 69d28e0461ff · 2023-08-03T08:00:22.000Z
* [New Rule] SUID/SGUID Enumeration Detected * Remove endgame compatibility * readded endgame support after troubleshooting * Update discovery_suid_sguid_enumeration.toml * Update rules/linux/discovery_suid_sguid_enumeration.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> (cherry picked from commit 03110fb)
diff --git a/rules/linux/discovery_suid_sguid_enumeration.toml b/rules/linux/discovery_suid_sguid_enumeration.toml
@@ -0,0 +1,74 @@
+[metadata]
+creation_date = "2023/07/24"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/24"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID 
+(Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the 
+privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In
+case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this 
+misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "SUID/SGUID Enumeration Detected"
+risk_score = 21
+rule_id = "5b06a27f-ad72-4499-91db-0c69667bffa5"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
+process.name == "find" and process.args : "-perm" and process.args : (
+  "/6000", "-6000", "/4000", "-4000", "/2000", "-2000", "/u=s", "-u=s", "/g=s", "-g=s", "/u=s,g=s", "/g=s,u=s"
+) and 
+not user.Ext.real.id == "0" and not group.Ext.real.id == "0"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1083"
+name = "File and Directory Discovery"
+reference = "https://attack.mitre.org/techniques/T1083/"
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1548"
+name = "Abuse Elevation Control Mechanism"
+reference = "https://attack.mitre.org/techniques/T1548/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1548.001"
+name = "Setuid and Setgid"
+reference = "https://attack.mitre.org/techniques/T1548/001/"
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
