Skip to content

[New Rule] Potential Privilege Escalation via OverlayFS #2974

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
Jul 31, 2023
Merged

[New Rule] Potential Privilege Escalation via OverlayFS #2974

Changes from 4 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
f3262d1
[New Rule] Privilege Escalation via OverlayFS
Aegrah Jul 28, 2023
a6a5251
Layout change
Aegrah Jul 28, 2023
580f59d
Revert "[New Rule] Privilege Escalation via OverlayFS"
Aegrah Jul 28, 2023
b314d8b
Made rule broader
Aegrah Jul 28, 2023
1006634
Update privilege_escalation_overlayfs_local_privesc.toml
Aegrah Jul 28, 2023
651c2ab
Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Aegrah Jul 28, 2023
d05c249
Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Aegrah Jul 28, 2023
7ed8c53
Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Aegrah Jul 28, 2023
6afc133
Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Aegrah Jul 28, 2023
2d2c1d0
Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Aegrah Jul 28, 2023
8210f51
Update user.id to strings
brokensound77 Jul 28, 2023
b71d220
Merge branch 'main' into new-rule-cve-2023-32629-and-2640
brokensound77 Jul 31, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 48 additions & 0 deletions rules/linux/privilege_escalation_overlayfs_local_privesc.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
[metadata]
creation_date = "2023/07/28"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/28"

[rule]
author = ["Elastic"]
description = """
Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's
modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the
ability to escalate privileges to root on the affected machine.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Privilege Escalation via OverlayFS"
references = [
"https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability",
"https://twitter.com/liadeliyahu/status/1684841527959273472"]
risk_score = 73
rule_id = "b51dbc92-84e2-4af1-ba47-65183fcd0c57"
severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability"]
type = "eql"
query = '''
sequence by process.parent.entity_id, host.id with maxspan=1s
[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
process.name == "unshare" and process.args : ("-r", "-rm", "m") and process.args : "*cap_setuid*" ]
[ process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and
user.name == "root" ]
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1068"
name = "Exploitation for Privilege Escalation"
reference = "https://attack.mitre.org/techniques/T1068/"

[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"