Skip to content

Commit f3262d1

Browse files
AegrahAegrah
committed
[New Rule] Privilege Escalation via OverlayFS
1 parent 3813a08 commit f3262d1

File tree

2 files changed

+10
-8
lines changed

2 files changed

+10
-8
lines changed

rules/linux/discovery_kernel_module_enumeration.toml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -34,8 +34,10 @@ type = "eql"
3434
query = '''
3535
process where host.os.type == "linux" and event.type == "start" and
3636
((process.name == "kmod" and process.args == "list") or (process.name == "modinfo" and process.parent.user.id != "0") or
37-
(process.name == "depmod" and process.args in ("--all", "-a") and process.parent.user.id != "0")
38-
or process.name == "lsmod") and not process.parent.name : ("vboxmanage", "virtualbox", "prime-offload", "vboxdrv.sh") and not
37+
(process.name == "depmod" and process.args in ("--all", "-a") and process.parent.user.id != "0") or
38+
process.name == "lsmod" and process.entry_leader.name not in (
39+
"crond", "docker-init", "qualys-scan-util", "jem", "cron", "nessus-service", "gitlab-runner", "sentinelone-agent")
40+
) and not process.parent.name : ("vboxmanage", "virtualbox", "prime-offload", "vboxdrv.sh") and not
3941
process.group_leader.name : "qualys-cloud-agent"
4042
'''
4143

rules/linux/discovery_linux_modprobe_enumeration.toml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4,15 +4,15 @@ integration = ["auditd_manager"]
44
maturity = "production"
55
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
66
min_stack_version = "8.3.0"
7-
updated_date = "2023/07/06"
7+
updated_date = "2023/07/28"
88

99
[rule]
1010
author = ["Elastic"]
1111
description = """
12-
Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized
13-
access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or
14-
unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities
15-
within the system.
12+
Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or
13+
manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized
14+
kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the
15+
system.
1616
"""
1717
from = "now-9m"
1818
index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
@@ -49,7 +49,7 @@ type = "eql"
4949
query = '''
5050
file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and
5151
file.path : ("/etc/modprobe.conf", "/etc/modprobe.d", "/etc/modprobe.d/*") and not
52-
(process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod") or process.title : ("*grep*") or process.parent.pid == 1)
52+
(process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "dpkg", "cp") or process.title : ("*grep*") or process.parent.pid == 1)
5353
'''
5454

5555
[[rule.threat]]

0 commit comments

Comments
 (0)