⚠️ WARNING THIS IS A EXPERIMENTAL DETECTION
We have not been able to test, simulate or build datasets for it, use at your own risk!
This search detects the heap-based buffer overflow of sudoedit
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2021-01-27
- Author: Shannon Davis, Splunk
- ID: 93fbec4e-0375-440c-8db3-4508eca470c4
|T1068||Exploitation for Privilege Escalation||Privilege Escalation|
`linux_hosts` | search "sudoedit -s \\" | `detect_baron_samedit_cve_2021_3156_filter`
Associated Analytic Story
How To Implement
Splunk Universal Forwarder running on Linux systems, capturing logs from the /var/log directory. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags.
Kill Chain Phase
Known False Positives
source | version: 1