[New Rule] Potential Privilege Escalation via OverlayFS

rules/linux/privilege_escalation_overlayfs_local_privesc.toml

@@ -0,0 +1,48 @@
+[metadata]
+creation_date = "2023/07/28"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/28"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's
+modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the
+ability to escalate privileges to root on the affected machine. 
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Privilege Escalation via OverlayFS"
+references = [
+    "https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability",
+    "https://twitter.com/liadeliyahu/status/1684841527959273472"]
+risk_score = 73
+rule_id = "b51dbc92-84e2-4af1-ba47-65183fcd0c57"
+severity = "high"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability"]
+type = "eql"
+query = '''
+sequence by process.parent.entity_id, host.id with maxspan=5s
+  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+    process.name == "unshare" and process.args : ("-r", "-rm", "m") and process.args : "*cap_setuid*"  and user.id != "0"]
+  [process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and 
+    user.id == "0"]
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1068"
+name = "Exploitation for Privilege Escalation"
+reference = "https://attack.mitre.org/techniques/T1068/"
+
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"