Analytics Story: Linux Privilege Escalation

Description

Monitor for and investigate activities that may be associated with a Linux privilege-escalation attack, including unusual processes running on endpoints, schedule task, services, setuid, root execution and more.

Why it matters

Privilege escalation is a "land-and-expand" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Linux machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where (All_Risk.analyticstories IN ("Linux Privilege Escalation", "Linux Persistence Techniques") OR source = "*Linux*") All_Risk.annotations.mitre_attack.mitre_tactic IN ("persistence", "privilege-escalation") All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `linux_persistence_and_privilege_escalation_risk_behavior_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Linux Add Files In Known Crontab Directories Cron, Scheduled Task/Job Anomaly
Linux Add User Account Local Account, Create Account Hunting
Linux Adding Crontab Using List Parameter Cron, Scheduled Task/Job Hunting
Linux apt-get Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux APT Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux At Allow Config File Creation Cron, Scheduled Task/Job Anomaly
Linux At Application Execution At, Scheduled Task/Job Anomaly
Linux Auditd Add User Account Local Account, Create Account Anomaly
Linux Auditd Add User Account Type Create Account, Local Account Anomaly
Linux Auditd At Application Execution At, Scheduled Task/Job Anomaly
Linux Auditd Auditd Service Stop Service Stop Anomaly
Linux Auditd Base64 Decode Files Deobfuscate/Decode Files or Information Anomaly
Linux Auditd Change File Owner To Root Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification TTP
Linux Auditd Data Transfer Size Limits Via Split Data Transfer Size Limits Anomaly
Linux Auditd Data Transfer Size Limits Via Split Syscall Data Transfer Size Limits Anomaly
Linux Auditd Database File And Directory Discovery File and Directory Discovery Anomaly
Linux Auditd Disable Or Modify System Firewall Disable or Modify System Firewall, Impair Defenses Anomaly
Linux Auditd Doas Conf File Creation Sudo and Sudo Caching, Abuse Elevation Control Mechanism TTP
Linux Auditd Doas Tool Execution Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Auditd Edit Cron Table Parameter Cron, Scheduled Task/Job TTP
Linux Auditd File And Directory Discovery File and Directory Discovery Anomaly
Linux Auditd File Permission Modification Via Chmod Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification Anomaly
Linux Auditd File Permissions Modification Via Chattr Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification TTP
Linux Auditd Find Credentials From Password Managers Password Managers, Credentials from Password Stores TTP
Linux Auditd Find Credentials From Password Stores Password Managers, Credentials from Password Stores TTP
Linux Auditd Find Private Keys Private Keys, Unsecured Credentials TTP
Linux Auditd Find Ssh Private Keys Private Keys, Unsecured Credentials Anomaly
Linux Auditd Hidden Files And Directories Creation File and Directory Discovery TTP
Linux Auditd Insert Kernel Module Using Insmod Utility Kernel Modules and Extensions, Boot or Logon Autostart Execution Anomaly
Linux Auditd Install Kernel Module Using Modprobe Utility Kernel Modules and Extensions, Boot or Logon Autostart Execution Anomaly
Linux Auditd Kernel Module Using Rmmod Utility Kernel Modules and Extensions, Boot or Logon Autostart Execution TTP
Linux Auditd Nopasswd Entry In Sudoers File Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Auditd Osquery Service Stop Service Stop TTP
Linux Auditd Possible Access Or Modification Of Sshd Config File SSH Authorized Keys, Account Manipulation Anomaly
Linux Auditd Possible Access To Credential Files /etc/passwd and /etc/shadow, OS Credential Dumping Anomaly
Linux Auditd Possible Access To Sudoers File Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File Cron, Scheduled Task/Job Hunting
Linux Auditd Preload Hijack Library Calls Dynamic Linker Hijacking, Hijack Execution Flow TTP
Linux Auditd Preload Hijack Via Preload File Dynamic Linker Hijacking, Hijack Execution Flow TTP
Linux Auditd Service Restarted Systemd Timers, Scheduled Task/Job Anomaly
Linux Auditd Service Started Service Execution, System Services TTP
Linux Auditd Setuid Using Chmod Utility Setuid and Setgid, Abuse Elevation Control Mechanism Anomaly
Linux Auditd Setuid Using Setcap Utility Setuid and Setgid, Abuse Elevation Control Mechanism TTP
Linux Auditd Shred Overwrite Command Data Destruction TTP
Linux Auditd Sudo Or Su Execution Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Auditd Sysmon Service Stop Service Stop TTP
Linux Auditd System Network Configuration Discovery System Network Configuration Discovery Anomaly
Linux Auditd Unix Shell Configuration Modification Unix Shell Configuration Modification, Event Triggered Execution TTP
Linux Auditd Unload Module Via Modprobe Kernel Modules and Extensions, Boot or Logon Autostart Execution TTP
Linux Auditd Virtual Disk File And Directory Discovery File and Directory Discovery Anomaly
Linux Auditd Whoami User Discovery System Owner/User Discovery Anomaly
Linux AWK Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Busybox Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux c89 Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux c99 Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Change File Owner To Root Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification Anomaly
Linux Common Process For Elevation Control Setuid and Setgid, Abuse Elevation Control Mechanism Hunting
Linux Composer Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Cpulimit Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Csvtool Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Doas Conf File Creation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Doas Tool Execution Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Docker Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Edit Cron Table Parameter Cron, Scheduled Task/Job Hunting
Linux Emacs Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux File Created In Kernel Driver Directory Kernel Modules and Extensions, Boot or Logon Autostart Execution Anomaly
Linux File Creation In Init Boot Directory RC Scripts, Boot or Logon Initialization Scripts Anomaly
Linux File Creation In Profile Directory Unix Shell Configuration Modification, Event Triggered Execution Anomaly
Linux Find Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux GDB Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Gem Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux GNU Awk Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Insert Kernel Module Using Insmod Utility Kernel Modules and Extensions, Boot or Logon Autostart Execution Anomaly
Linux Install Kernel Module Using Modprobe Utility Kernel Modules and Extensions, Boot or Logon Autostart Execution Anomaly
Linux Make Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux MySQL Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Node Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux NOPASSWD Entry In Sudoers File Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Octave Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux OpenVPN Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux PHP Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux pkexec Privilege Escalation Exploitation for Privilege Escalation TTP
Linux Possible Access Or Modification Of sshd Config File SSH Authorized Keys, Account Manipulation Anomaly
Linux Possible Access To Credential Files /etc/passwd and /etc/shadow, OS Credential Dumping Anomaly
Linux Possible Access To Sudoers File Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Possible Append Command To At Allow Config File At, Scheduled Task/Job Anomaly
Linux Possible Append Command To Profile Config File Unix Shell Configuration Modification, Event Triggered Execution Anomaly
Linux Possible Append Cronjob Entry on Existing Cronjob File Cron, Scheduled Task/Job Hunting
Linux Possible Cronjob Modification With Editor Cron, Scheduled Task/Job Hunting
Linux Possible Ssh Key File Creation SSH Authorized Keys, Account Manipulation Anomaly
Linux Preload Hijack Library Calls Dynamic Linker Hijacking, Hijack Execution Flow TTP
Linux Puppet Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux RPM Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Ruby Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Service File Created In Systemd Directory Systemd Timers, Scheduled Task/Job Anomaly
Linux Service Restarted Systemd Timers, Scheduled Task/Job Anomaly
Linux Service Started Or Enabled Systemd Timers, Scheduled Task/Job Anomaly
Linux Setuid Using Chmod Utility Setuid and Setgid, Abuse Elevation Control Mechanism Anomaly
Linux Setuid Using Setcap Utility Setuid and Setgid, Abuse Elevation Control Mechanism Anomaly
Linux Shred Overwrite Command Data Destruction TTP
Linux Sqlite3 Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Sudo OR Su Execution Sudo and Sudo Caching, Abuse Elevation Control Mechanism Hunting
Linux Sudoers Tmp File Creation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Visudo Utility Execution Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Linux Auditd Add User Linux icon Linux linux:audit /var/log/audit/audit.log
Linux Auditd Execve Linux icon Linux linux:audit /var/log/audit/audit.log
Linux Auditd Path Linux icon Linux linux:audit /var/log/audit/audit.log
Linux Auditd Proctitle Linux icon Linux linux:audit /var/log/audit/audit.log
Linux Auditd Service Stop Linux icon Linux linux:audit /var/log/audit/audit.log
Linux Auditd Syscall Linux icon Linux linux:audit /var/log/audit/audit.log
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational

References


Source: GitHub | Version: 1