Potential Privilege Escalation via Linux DAC permissions

edit

Potential Privilege Escalation via Linux DAC permissions

edit

Identifies potential privilege escalation exploitation of DAC (Discretionary access control) file permissions. The rule identifies exploitation of DAC checks on sensitive file paths via suspicious processes whose capabilities include CAP_DAC_OVERRIDE (where a process can bypass all read write and execution checks) or CAP_DAC_READ_SEARCH (where a process can read any file or perform any executable permission on the directories).

Rule type: eql

Rule indices:

  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Privilege Escalation
  • Data Source: Elastic Defend

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
(process.thread.capabilities.permitted: "CAP_DAC_*" or process.thread.capabilities.effective: "CAP_DAC_*") and
process.command_line : ("*sudoers*", "*passwd*", "*shadow*", "*/root/*") and user.id != "0"

Framework: MITRE ATT&CKTM