Skip to content

[New Rule] Potential Suspicious DebugFS Root Device Access #2982

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Aug 3, 2023
Merged

[New Rule] Potential Suspicious DebugFS Root Device Access #2982

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
acbe2ed
[New Rule] Potential DebugFS Privilege Escalation
Aegrah Jul 31, 2023
6450556
Changed rule name
Aegrah Jul 31, 2023
5477762
Update rules/linux/privilege_escalation_sda_disk_mount_non_root.toml
Aegrah Aug 3, 2023
9a23913
Merge branch 'main' into new-rule-disk-mount-non-root
DefSecSentinel Aug 3, 2023
939faeb
Merge branch 'main' into new-rule-disk-mount-non-root
Aegrah Aug 3, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 51 additions & 0 deletions rules/linux/privilege_escalation_sda_disk_mount_non_root.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
[metadata]
creation_date = "2023/07/31"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/31"

[rule]
author = ["Elastic"]
description = """
This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions.
Linux users that are part of the "disk" group have sufficient privileges to access all data inside of the machine through
DebugFS. Attackers may leverage DebugFS in conjunction with "disk" permissions to read sensitive files owned by root,
such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate
privileges.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Suspicious DebugFS Root Device Access"
references = ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group"]
risk_score = 21
rule_id = "2605aa59-29ac-4662-afad-8d86257c7c91"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and
process.name == "debugfs" and process.args : "/dev/sd*" and not user.Ext.real.id == "0" and not group.Ext.real.id == "0"
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"

[[rule.threat.technique.subtechnique]]
id = "T1078.003"
name = "Local Accounts"
reference = "https://attack.mitre.org/techniques/T1078/003/"

[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"