IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Potential Sudo Hijacking Detected Potential Privilege Escalation via Python cap_setuid »
Elastic Docs Elastic Security Solution [8.9] Downloadable rule update v8.9.9

Potential Sudo Token Manipulation via Process Injection

edit

Potential Sudo Token Manipulation via Process Injectionedit

This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence of a living process that has a valid sudo token with the same uid as the current user.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Privilege Escalation
  • Data Source: Elastic Defend

Version: 4

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule queryedit

sequence by host.id, process.session_leader.entity_id with maxspan=15s
[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
  process.name == "gdb" and process.user.id != "0" and process.group.id != "0" ]
[ process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and
  process.name == "sudo" and process.user.id == "0" and process.group.id == "0" ]

Framework: MITRE ATT&CKTM

« Potential Sudo Hijacking Detected Potential Privilege Escalation via Python cap_setuid »