Try in Splunk Security Cloud
Description
Monitor for and investigate activities that may be associated with a Linux privilege-escalation attack, including unusual processes running on endpoints, schedule task, services, setuid, root execution and more.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Risk
- Last Updated: 2021-12-17
- Author: Teoderick Contreras, Splunk
- ID: b9879c24-670a-44c0-895e-98cdb7d0e848
Narrative
Privilege escalation is a “land-and-expand” technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Linux machine–such as installing software–may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.
Detections
Name |
Technique |
Type |
Linux APT Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux AWK Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Add Files In Known Crontab Directories |
Cron, Scheduled Task/Job |
Anomaly |
Linux Add User Account |
Local Account, Create Account |
Hunting |
Linux Adding Crontab Using List Parameter |
Cron, Scheduled Task/Job |
Hunting |
Linux At Allow Config File Creation |
Cron, Scheduled Task/Job |
Anomaly |
Linux At Application Execution |
At, Scheduled Task/Job |
Anomaly |
Linux Busybox Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Change File Owner To Root |
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification |
Anomaly |
Linux Common Process For Elevation Control |
Setuid and Setgid, Abuse Elevation Control Mechanism |
Hunting |
Linux Composer Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Cpulimit Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Csvtool Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Doas Conf File Creation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Doas Tool Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Docker Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Edit Cron Table Parameter |
Cron, Scheduled Task/Job |
Hunting |
Linux Emacs Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux File Created In Kernel Driver Directory |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
Anomaly |
Linux File Creation In Init Boot Directory |
RC Scripts, Boot or Logon Initialization Scripts |
Anomaly |
Linux File Creation In Profile Directory |
Unix Shell Configuration Modification, Event Triggered Execution |
Anomaly |
Linux Find Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux GDB Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux GNU Awk Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Gem Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Insert Kernel Module Using Insmod Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
Anomaly |
Linux Install Kernel Module Using Modprobe Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
Anomaly |
Linux Make Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux MySQL Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux NOPASSWD Entry In Sudoers File |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Node Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Octave Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux OpenVPN Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux PHP Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Persistence and Privilege Escalation Risk Behavior |
Abuse Elevation Control Mechanism |
Correlation |
Linux Possible Access Or Modification Of sshd Config File |
SSH Authorized Keys, Account Manipulation |
Anomaly |
Linux Possible Access To Credential Files |
/etc/passwd and /etc/shadow, OS Credential Dumping |
Anomaly |
Linux Possible Access To Sudoers File |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Possible Append Command To At Allow Config File |
At, Scheduled Task/Job |
Anomaly |
Linux Possible Append Command To Profile Config File |
Unix Shell Configuration Modification, Event Triggered Execution |
Anomaly |
Linux Possible Append Cronjob Entry on Existing Cronjob File |
Cron, Scheduled Task/Job |
Hunting |
Linux Possible Cronjob Modification With Editor |
Cron, Scheduled Task/Job |
Hunting |
Linux Possible Ssh Key File Creation |
SSH Authorized Keys, Account Manipulation |
Anomaly |
Linux Preload Hijack Library Calls |
Dynamic Linker Hijacking, Hijack Execution Flow |
TTP |
Linux Puppet Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux RPM Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Ruby Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Service File Created In Systemd Directory |
Systemd Timers, Scheduled Task/Job |
Anomaly |
Linux Service Restarted |
Systemd Timers, Scheduled Task/Job |
Anomaly |
Linux Service Started Or Enabled |
Systemd Timers, Scheduled Task/Job |
Anomaly |
Linux Setuid Using Chmod Utility |
Setuid and Setgid, Abuse Elevation Control Mechanism |
Anomaly |
Linux Setuid Using Setcap Utility |
Setuid and Setgid, Abuse Elevation Control Mechanism |
Anomaly |
Linux Shred Overwrite Command |
Data Destruction |
TTP |
Linux Sqlite3 Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Sudo OR Su Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Hunting |
Linux Sudoers Tmp File Creation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Visudo Utility Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux apt-get Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux c89 Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux c99 Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux pkexec Privilege Escalation |
Exploitation for Privilege Escalation |
TTP |
Reference
source | version: 1