[New Rule] Potential Sudo Token Manipulation via Process Injection (#2984)

Aegrah · github-actions[bot] · commit ff8084155a0d · 2023-08-03T14:00:57.000Z
* [New Rule] Sudo Token Access via Process Injection * [New Rule] Sudo Token Manipulation via Proc Inject * Update rules/linux/privilege_escalation_sudo_token_via_process_injection.toml * Update privilege_escalation_sudo_token_via_process_injection.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit 207d94e)
diff --git a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml
@@ -0,0 +1,63 @@
+[metadata]
+creation_date = "2023/07/31"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/31"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a 
+debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token 
+manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by
+attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence 
+of a living process that has a valid sudo token with the same uid as the current user. 
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Sudo Token Manipulation via Process Injection"
+references = ["https://github.com/nongiach/sudo_inject"]
+risk_score = 47
+rule_id = "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b"
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
+type = "eql"
+query = '''
+sequence by host.id, process.session_leader.entity_id with maxspan=15s
+[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+  process.name == "gdb" and process.user.id != "0" and process.group.id != "0" ]
+[ process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and 
+  process.name == "sudo" and process.user.id == "0" and process.group.id == "0" ]
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1055"
+name = "Process Injection"
+reference = "https://attack.mitre.org/techniques/T1055/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1055.008"
+name = "Ptrace System Calls"
+reference = "https://attack.mitre.org/techniques/T1055/008/"
+
+[[rule.threat.technique]]
+id = "T1548"
+name = "Abuse Elevation Control Mechanism"
+reference = "https://attack.mitre.org/techniques/T1548/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1548.003"
+name = "Sudo and Sudo Caching"
+reference = "https://attack.mitre.org/techniques/T1548/003/"
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
