From f3262d179bc5f54ae5380ffa50d67041fb141c26 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Fri, 28 Jul 2023 15:37:59 +0200 Subject: [PATCH 01/11] [New Rule] Privilege Escalation via OverlayFS --- rules/linux/discovery_kernel_module_enumeration.toml | 6 ++++-- .../linux/discovery_linux_modprobe_enumeration.toml | 12 ++++++------ 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index b80211b6484..4072f9db91f 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -34,8 +34,10 @@ type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and ((process.name == "kmod" and process.args == "list") or (process.name == "modinfo" and process.parent.user.id != "0") or -(process.name == "depmod" and process.args in ("--all", "-a") and process.parent.user.id != "0") -or process.name == "lsmod") and not process.parent.name : ("vboxmanage", "virtualbox", "prime-offload", "vboxdrv.sh") and not +(process.name == "depmod" and process.args in ("--all", "-a") and process.parent.user.id != "0") or + process.name == "lsmod" and process.entry_leader.name not in ( + "crond", "docker-init", "qualys-scan-util", "jem", "cron", "nessus-service", "gitlab-runner", "sentinelone-agent") + ) and not process.parent.name : ("vboxmanage", "virtualbox", "prime-offload", "vboxdrv.sh") and not process.group_leader.name : "qualys-cloud-agent" ''' diff --git a/rules/linux/discovery_linux_modprobe_enumeration.toml b/rules/linux/discovery_linux_modprobe_enumeration.toml index 23615e26445..8b8fad65a7e 100644 --- a/rules/linux/discovery_linux_modprobe_enumeration.toml +++ b/rules/linux/discovery_linux_modprobe_enumeration.toml @@ -4,15 +4,15 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/06" +updated_date = "2023/07/28" [rule] author = ["Elastic"] description = """ -Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized -access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or -unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities -within the system. +Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or +manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized +kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the +system. """ from = "now-9m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -49,7 +49,7 @@ type = "eql" query = ''' file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and file.path : ("/etc/modprobe.conf", "/etc/modprobe.d", "/etc/modprobe.d/*") and not -(process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod") or process.title : ("*grep*") or process.parent.pid == 1) +(process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "dpkg", "cp") or process.title : ("*grep*") or process.parent.pid == 1) ''' [[rule.threat]] From a6a5251d841fb84e7190553938fc83729f780a94 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Fri, 28 Jul 2023 15:38:06 +0200 Subject: [PATCH 02/11] Layout change --- ...ge_escalation_overlayfs_local_privesc.toml | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 rules/linux/privilege_escalation_overlayfs_local_privesc.toml diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml new file mode 100644 index 00000000000..6718fb199ec --- /dev/null +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2023/07/28" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/28" + +[rule] +author = ["Elastic"] +description = """ +Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's +modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the +ability to escalate privileges to root on the affected machine. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Privilege Escalation via OverlayFS" +references = [ + "https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability", + "https://twitter.com/liadeliyahu/status/1684841527959273472"] +risk_score = 73 +rule_id = "b51dbc92-84e2-4af1-ba47-65183fcd0c57" +severity = "high" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability"] +type = "eql" +query = ''' +sequence by process.parent.entity_id, host.id with maxspan=1s +[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name == "unshare" and process.args : "*cap_setuid*" ] +[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name : "python*" and process.args : "*os.setuid(0)*" ] +[ process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and + process.name : "python*" and user.name == "root" ] +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" From 580f59ddd8f4fe6e173ef5acbf73ab7afce42204 Mon Sep 17 00:00:00 2001 From: Aegrah Date: Fri, 28 Jul 2023 15:40:34 +0200 Subject: [PATCH 03/11] Revert "[New Rule] Privilege Escalation via OverlayFS" This reverts commit f3262d179bc5f54ae5380ffa50d67041fb141c26. --- rules/linux/discovery_kernel_module_enumeration.toml | 6 ++---- .../linux/discovery_linux_modprobe_enumeration.toml | 12 ++++++------ 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 4072f9db91f..b80211b6484 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -34,10 +34,8 @@ type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and ((process.name == "kmod" and process.args == "list") or (process.name == "modinfo" and process.parent.user.id != "0") or -(process.name == "depmod" and process.args in ("--all", "-a") and process.parent.user.id != "0") or - process.name == "lsmod" and process.entry_leader.name not in ( - "crond", "docker-init", "qualys-scan-util", "jem", "cron", "nessus-service", "gitlab-runner", "sentinelone-agent") - ) and not process.parent.name : ("vboxmanage", "virtualbox", "prime-offload", "vboxdrv.sh") and not +(process.name == "depmod" and process.args in ("--all", "-a") and process.parent.user.id != "0") +or process.name == "lsmod") and not process.parent.name : ("vboxmanage", "virtualbox", "prime-offload", "vboxdrv.sh") and not process.group_leader.name : "qualys-cloud-agent" ''' diff --git a/rules/linux/discovery_linux_modprobe_enumeration.toml b/rules/linux/discovery_linux_modprobe_enumeration.toml index 8b8fad65a7e..23615e26445 100644 --- a/rules/linux/discovery_linux_modprobe_enumeration.toml +++ b/rules/linux/discovery_linux_modprobe_enumeration.toml @@ -4,15 +4,15 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/28" +updated_date = "2023/07/06" [rule] author = ["Elastic"] description = """ -Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or -manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized -kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the -system. +Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized +access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or +unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities +within the system. """ from = "now-9m" index = ["auditbeat-*", "logs-auditd_manager.auditd-*"] @@ -49,7 +49,7 @@ type = "eql" query = ''' file where host.os.type == "linux" and event.action in ("opened-file", "read-file", "wrote-to-file") and file.path : ("/etc/modprobe.conf", "/etc/modprobe.d", "/etc/modprobe.d/*") and not -(process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod", "dpkg", "cp") or process.title : ("*grep*") or process.parent.pid == 1) +(process.name in ("auditbeat", "kmod", "modprobe", "lsmod", "insmod", "modinfo", "rmmod") or process.title : ("*grep*") or process.parent.pid == 1) ''' [[rule.threat]] From b314d8b8237fc92e4ee25b43c8d9a6cc1c1c565a Mon Sep 17 00:00:00 2001 From: Aegrah Date: Fri, 28 Jul 2023 16:07:32 +0200 Subject: [PATCH 04/11] Made rule broader --- .../linux/privilege_escalation_overlayfs_local_privesc.toml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index 6718fb199ec..7037bb84b43 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -29,11 +29,9 @@ type = "eql" query = ''' sequence by process.parent.entity_id, host.id with maxspan=1s [ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and - process.name == "unshare" and process.args : "*cap_setuid*" ] -[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and - process.name : "python*" and process.args : "*os.setuid(0)*" ] + process.name == "unshare" and process.args : ("-r", "-rm", "m") and process.args : "*cap_setuid*" ] [ process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and - process.name : "python*" and user.name == "root" ] + user.name == "root" ] ''' [[rule.threat]] From 1006634d5282132e1a8c141020c5d3a891a735fb Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Fri, 28 Jul 2023 16:21:24 +0200 Subject: [PATCH 05/11] Update privilege_escalation_overlayfs_local_privesc.toml --- rules/linux/privilege_escalation_overlayfs_local_privesc.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index 7037bb84b43..3a457e8678f 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -27,7 +27,7 @@ severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability"] type = "eql" query = ''' -sequence by process.parent.entity_id, host.id with maxspan=1s +sequence by process.parent.entity_id, host.id with maxspan=5s [ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "unshare" and process.args : ("-r", "-rm", "m") and process.args : "*cap_setuid*" ] [ process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and From 651c2ab5f630f78ab1874aaae66931710e286d10 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Fri, 28 Jul 2023 16:25:28 +0200 Subject: [PATCH 06/11] Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --- rules/linux/privilege_escalation_overlayfs_local_privesc.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index 3a457e8678f..80f4adc8868 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -30,7 +30,7 @@ query = ''' sequence by process.parent.entity_id, host.id with maxspan=5s [ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "unshare" and process.args : ("-r", "-rm", "m") and process.args : "*cap_setuid*" ] -[ process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and +[ process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and user.name == "root" ] ''' From d05c2493edec2a1ce7a1b5756e47d82cfd3968cc Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Fri, 28 Jul 2023 16:25:35 +0200 Subject: [PATCH 07/11] Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --- rules/linux/privilege_escalation_overlayfs_local_privesc.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index 80f4adc8868..6f19e835293 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -31,7 +31,7 @@ sequence by process.parent.entity_id, host.id with maxspan=5s [ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "unshare" and process.args : ("-r", "-rm", "m") and process.args : "*cap_setuid*" ] [ process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and - user.name == "root" ] + user.id == 0 ] ''' [[rule.threat]] From 7ed8c5315e7f916dab1d7dd21f97190b630f4fed Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Fri, 28 Jul 2023 16:25:51 +0200 Subject: [PATCH 08/11] Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --- rules/linux/privilege_escalation_overlayfs_local_privesc.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index 6f19e835293..78c2edcb7ca 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -29,7 +29,7 @@ type = "eql" query = ''' sequence by process.parent.entity_id, host.id with maxspan=5s [ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and - process.name == "unshare" and process.args : ("-r", "-rm", "m") and process.args : "*cap_setuid*" ] + process.name == "unshare" and process.args : ("-r", "-rm", "m") and process.args : "*cap_setuid*" and user.id != 0] [ process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and user.id == 0 ] ''' From 6afc13329a92e8eaebf97570abc6e3d14745e6d7 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Fri, 28 Jul 2023 16:28:19 +0200 Subject: [PATCH 09/11] Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --- .../privilege_escalation_overlayfs_local_privesc.toml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index 78c2edcb7ca..ce9aa1e991c 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -28,10 +28,10 @@ tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: type = "eql" query = ''' sequence by process.parent.entity_id, host.id with maxspan=5s -[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and - process.name == "unshare" and process.args : ("-r", "-rm", "m") and process.args : "*cap_setuid*" and user.id != 0] -[ process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and - user.id == 0 ] + [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name == "unshare" and process.args : ("-r", "-rm", "m") and process.args : "*cap_setuid*" and user.id != 0] + [process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and + user.id == 0 ] ''' [[rule.threat]] From 2d2c1d062397f225ba18036bd14279d115c00131 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Fri, 28 Jul 2023 16:29:53 +0200 Subject: [PATCH 10/11] Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml --- rules/linux/privilege_escalation_overlayfs_local_privesc.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index ce9aa1e991c..554cd0586d4 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -31,7 +31,7 @@ sequence by process.parent.entity_id, host.id with maxspan=5s [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "unshare" and process.args : ("-r", "-rm", "m") and process.args : "*cap_setuid*" and user.id != 0] [process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and - user.id == 0 ] + user.id == 0] ''' [[rule.threat]] From 8210f515e2dc56ebfb5bbc1afa3a37128af7af98 Mon Sep 17 00:00:00 2001 From: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Date: Fri, 28 Jul 2023 08:41:39 -0600 Subject: [PATCH 11/11] Update user.id to strings --- rules/linux/privilege_escalation_overlayfs_local_privesc.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index 554cd0586d4..aee04b9c95d 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -29,9 +29,9 @@ type = "eql" query = ''' sequence by process.parent.entity_id, host.id with maxspan=5s [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and - process.name == "unshare" and process.args : ("-r", "-rm", "m") and process.args : "*cap_setuid*" and user.id != 0] + process.name == "unshare" and process.args : ("-r", "-rm", "m") and process.args : "*cap_setuid*" and user.id != "0"] [process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and - user.id == 0] + user.id == "0"] ''' [[rule.threat]]