IT Security Blog

Click the button below to start exploring my website
Start exploring

Detect Privilege Escalation Preparation in Linux with Sigma

In this blog post, I will introduce a Sigma detection rule, which detects privilege escalation preparation in Linux. If an adversary has a limited shell and wants to escalate privileges, different information needs to be collected over the machine. This information includes the distribution type, kernel version, environment variables, running root services, applications, cron jobs and further more. An excellent collection of commands can be found here:


Sigma Detection Rule

Sigma, as a generic signature description language, is used to develop this Security Use Case:

title: Privilege Escalation Preparation 
status: experimental
description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.
    - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
    - http://www.patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma
author: Patrick Bareiss
date: 2019/04/02
    product: linux
        # distribution type and kernel version
        - 'cat /etc/issue'
        - 'cat /etc/*-release'
        - 'cat /proc/version'
        - 'uname -a'
        - 'uname -mrs'
        - 'rpm -q kernel'
        - 'dmesg | grep Linux'
        - 'ls /boot | grep vmlinuz-'
        # environment variables
        - 'cat /etc/profile'
        - 'cat /etc/bashrc'
        - 'cat ~/.bash_profile'
        - 'cat ~/.bashrc'
        - 'cat ~/.bash_logout'
        # applications and services as root
        - 'ps -aux | grep root'
        - 'ps -ef | grep root'
        # scheduled tasks
        - 'crontab -l'
        - 'cat /etc/cron*'
        - 'cat /etc/cron.allow'
        - 'cat /etc/cron.deny'
        - 'cat /etc/crontab'
        # search for plain text user/passwords
        - 'grep -i user *'
        - 'grep -i pass *'
        # networking
        - 'ifconfig'
        - 'cat /etc/network/interfaces'
        - 'cat /etc/sysconfig/network'
        - 'cat /etc/resolv.conf'
        - 'cat /etc/sysconfig/network'
        - 'cat /etc/networks'
        - 'iptables -L'
        - 'hostname'
        - 'lsof -i'
        - 'netstat -antup'
        - 'netstat -antpx'
        - 'netstat -tulpn'
        - 'arp -e'
        - 'route'
        # sensitive files
        - 'cat /etc/passwd'
        - 'cat /etc/group'
        - 'cat /etc/shadow'
    timeframe: 30m
    condition: keywords | count() by host > 6
    - Troubleshooting on Linux Machines
level: medium
    - attack.privilege_escalation
    - attack.t1068

The idea of this Use Case is to detect multiple suspicious bash command in a limited time indicating the information gathering phase for the privilege escalation. Normally, this phase is automated or scripted but still the different performed commands can be monitored.

Use Case Testing with Splunk

The Use Case Testing is performed manually by running several suspicious commands in a short time. With the configuration from my previous blog article, all performed bash commands are sent to /var/log/messages, which is monitored using Splunk.

We can see that the Security Use Case was detecting the preparation for privilege escalation. Thank you for reading.