Linux Privilege Escalation

Try in Splunk Security Cloud

Description

Monitor for and investigate activities that may be associated with a Linux privilege-escalation attack, including unusual processes running on endpoints, schedule task, services, setuid, root execution and more.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Risk
• Last Updated: 2021-12-17
• Author: Teoderick Contreras, Splunk
• ID: b9879c24-670a-44c0-895e-98cdb7d0e848

Narrative

Privilege escalation is a “land-and-expand” technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a Linux machine–such as installing software–may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.

Detections

Name	Technique	Type
Linux APT Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux AWK Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Add Files In Known Crontab Directories	Cron, Scheduled Task/Job	Anomaly
Linux Add User Account	Local Account, Create Account	Hunting
Linux Adding Crontab Using List Parameter	Cron, Scheduled Task/Job	Hunting
Linux At Allow Config File Creation	Cron, Scheduled Task/Job	Anomaly
Linux At Application Execution	At, Scheduled Task/Job	Anomaly
Linux Busybox Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Change File Owner To Root	Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification	Anomaly
Linux Common Process For Elevation Control	Setuid and Setgid, Abuse Elevation Control Mechanism	Hunting
Linux Composer Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Cpulimit Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Csvtool Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Doas Conf File Creation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Doas Tool Execution	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Docker Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Edit Cron Table Parameter	Cron, Scheduled Task/Job	Hunting
Linux Emacs Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux File Created In Kernel Driver Directory	Kernel Modules and Extensions, Boot or Logon Autostart Execution	Anomaly
Linux File Creation In Init Boot Directory	RC Scripts, Boot or Logon Initialization Scripts	Anomaly
Linux File Creation In Profile Directory	Unix Shell Configuration Modification, Event Triggered Execution	Anomaly
Linux Find Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux GDB Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux GNU Awk Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Gem Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Insert Kernel Module Using Insmod Utility	Kernel Modules and Extensions, Boot or Logon Autostart Execution	Anomaly
Linux Install Kernel Module Using Modprobe Utility	Kernel Modules and Extensions, Boot or Logon Autostart Execution	Anomaly
Linux Make Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux MySQL Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux NOPASSWD Entry In Sudoers File	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Node Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Octave Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux OpenVPN Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux PHP Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Persistence and Privilege Escalation Risk Behavior	Abuse Elevation Control Mechanism	Correlation
Linux Possible Access Or Modification Of sshd Config File	SSH Authorized Keys, Account Manipulation	Anomaly
Linux Possible Access To Credential Files	/etc/passwd and /etc/shadow, OS Credential Dumping	Anomaly
Linux Possible Access To Sudoers File	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Possible Append Command To At Allow Config File	At, Scheduled Task/Job	Anomaly
Linux Possible Append Command To Profile Config File	Unix Shell Configuration Modification, Event Triggered Execution	Anomaly
Linux Possible Append Cronjob Entry on Existing Cronjob File	Cron, Scheduled Task/Job	Hunting
Linux Possible Cronjob Modification With Editor	Cron, Scheduled Task/Job	Hunting
Linux Possible Ssh Key File Creation	SSH Authorized Keys, Account Manipulation	Anomaly
Linux Preload Hijack Library Calls	Dynamic Linker Hijacking, Hijack Execution Flow	TTP
Linux Puppet Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux RPM Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Ruby Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Service File Created In Systemd Directory	Systemd Timers, Scheduled Task/Job	Anomaly
Linux Service Restarted	Systemd Timers, Scheduled Task/Job	Anomaly
Linux Service Started Or Enabled	Systemd Timers, Scheduled Task/Job	Anomaly
Linux Setuid Using Chmod Utility	Setuid and Setgid, Abuse Elevation Control Mechanism	Anomaly
Linux Setuid Using Setcap Utility	Setuid and Setgid, Abuse Elevation Control Mechanism	Anomaly
Linux Shred Overwrite Command	Data Destruction	TTP
Linux Sqlite3 Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Sudo OR Su Execution	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Hunting
Linux Sudoers Tmp File Creation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Visudo Utility Execution	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux apt-get Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux c89 Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux c99 Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux pkexec Privilege Escalation	Exploitation for Privilege Escalation	TTP

Reference

• https://attack.mitre.org/tactics/TA0004/

source | version: 1