⚠️ WARNING THIS IS A EXPERIMENTAL DETECTION
We have not been able to test, simulate or build datasets for it, use at your own risk!
This search detects the heap-based buffer overflow of sudoedit
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2021-01-28
- Author: Shannon Davis, Splunk
- ID: 1de31d5d-8fa6-4ee0-af89-17069134118a
|T1068||Exploitation for Privilege Escalation||Privilege Escalation|
`osquery_process` | search "columns.cmdline"="sudoedit -s \\*" | `detect_baron_samedit_cve_2021_3156_via_osquery_filter`
Associated Analytic Story
How To Implement
OSQuery installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags.
Kill Chain Phase
Known False Positives
source | version: 1