Potential Unauthorized Access via Wildcard Injection Detected
editPotential Unauthorized Access via Wildcard Injection Detectededit
This rule monitors for the execution of the "chown" and "chmod" commands with command line flags that could indicate a wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
- endgame-*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Privilege Escalation
- Tactic: Credential Access
- Data Source: Elastic Endgame
- Data Source: Elastic Defend
Version: 4
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule queryedit
process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and
process.name in ("chown", "chmod") and process.args == "-R" and process.args : "--reference=*"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Exploitation for Privilege Escalation
- ID: T1068
- Reference URL: https://attack.mitre.org/techniques/T1068/
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: OS Credential Dumping
- ID: T1003
- Reference URL: https://attack.mitre.org/techniques/T1003/
-
Sub-technique:
- Name: /etc/passwd and /etc/shadow
- ID: T1003.008
- Reference URL: https://attack.mitre.org/techniques/T1003/008/