[New Rule] Potential Sudo Token Manipulation via Process Injection #2984
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Aegrah
added
OS: Linux
Rule: New
Aegrah
commented
Jul 31, 2023
rules/linux/privilege_escalation_sudo_token_via_process_injection.toml
Outdated
Show resolved
Hide resolved
Aegrah
deleted the
privilege_escalation_sudo_token_via_process_injection
branch
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 3, 2023
…2984) * [New Rule] Sudo Token Access via Process Injection * [New Rule] Sudo Token Manipulation via Proc Inject * Update rules/linux/privilege_escalation_sudo_token_via_process_injection.toml * Update privilege_escalation_sudo_token_via_process_injection.toml --------- Co-authored-by: Colson Wilhoit <[email protected]> (cherry picked from commit 207d94e)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 3, 2023
…2984) * [New Rule] Sudo Token Access via Process Injection * [New Rule] Sudo Token Manipulation via Proc Inject * Update rules/linux/privilege_escalation_sudo_token_via_process_injection.toml * Update privilege_escalation_sudo_token_via_process_injection.toml --------- Co-authored-by: Colson Wilhoit <[email protected]> (cherry picked from commit 207d94e)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 3, 2023
…2984) * [New Rule] Sudo Token Access via Process Injection * [New Rule] Sudo Token Manipulation via Proc Inject * Update rules/linux/privilege_escalation_sudo_token_via_process_injection.toml * Update privilege_escalation_sudo_token_via_process_injection.toml --------- Co-authored-by: Colson Wilhoit <[email protected]> (cherry picked from commit 207d94e)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 3, 2023
…2984) * [New Rule] Sudo Token Access via Process Injection * [New Rule] Sudo Token Manipulation via Proc Inject * Update rules/linux/privilege_escalation_sudo_token_via_process_injection.toml * Update privilege_escalation_sudo_token_via_process_injection.toml --------- Co-authored-by: Colson Wilhoit <[email protected]> (cherry picked from commit 207d94e)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 3, 2023
…2984) * [New Rule] Sudo Token Access via Process Injection * [New Rule] Sudo Token Manipulation via Proc Inject * Update rules/linux/privilege_escalation_sudo_token_via_process_injection.toml * Update privilege_escalation_sudo_token_via_process_injection.toml --------- Co-authored-by: Colson Wilhoit <[email protected]> (cherry picked from commit 207d94e)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 3, 2023
…2984) * [New Rule] Sudo Token Access via Process Injection * [New Rule] Sudo Token Manipulation via Proc Inject * Update rules/linux/privilege_escalation_sudo_token_via_process_injection.toml * Update privilege_escalation_sudo_token_via_process_injection.toml --------- Co-authored-by: Colson Wilhoit <[email protected]> (cherry picked from commit 207d94e)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 3, 2023
…2984) * [New Rule] Sudo Token Access via Process Injection * [New Rule] Sudo Token Manipulation via Proc Inject * Update rules/linux/privilege_escalation_sudo_token_via_process_injection.toml * Update privilege_escalation_sudo_token_via_process_injection.toml --------- Co-authored-by: Colson Wilhoit <[email protected]> (cherry picked from commit 207d94e)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence of a living process that has a valid sudo token with the same uid as the current user.
Detection
0 hits in RedSector for this behavior during the last 365 days.