In this blog post, I will introduce a Sigma detection rule, which detects privilege escalation preparation in Linux. If an adversary has a limited shell and wants to escalate privileges, different information needs to be collected over the machine. This information includes the distribution type, kernel version, environment variables, running root services, applications, cron jobs and further more. An excellent collection of commands can be found here:
Sigma Detection Rule
Sigma, as a generic signature description language, is used to develop this Security Use Case:
title: Privilege Escalation Preparation status: experimental description: Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation. references: - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ - http://www.patrick-bareiss.com/detect-privilege-escalation-preparation-in-linux-with-sigma author: Patrick Bareiss date: 2019/04/02 logsource: product: linux detection: keywords: # distribution type and kernel version - 'cat /etc/issue' - 'cat /etc/*-release' - 'cat /proc/version' - 'uname -a' - 'uname -mrs' - 'rpm -q kernel' - 'dmesg | grep Linux' - 'ls /boot | grep vmlinuz-' # environment variables - 'cat /etc/profile' - 'cat /etc/bashrc' - 'cat ~/.bash_profile' - 'cat ~/.bashrc' - 'cat ~/.bash_logout' # applications and services as root - 'ps -aux | grep root' - 'ps -ef | grep root' # scheduled tasks - 'crontab -l' - 'cat /etc/cron*' - 'cat /etc/cron.allow' - 'cat /etc/cron.deny' - 'cat /etc/crontab' # search for plain text user/passwords - 'grep -i user *' - 'grep -i pass *' # networking - 'ifconfig' - 'cat /etc/network/interfaces' - 'cat /etc/sysconfig/network' - 'cat /etc/resolv.conf' - 'cat /etc/sysconfig/network' - 'cat /etc/networks' - 'iptables -L' - 'hostname' - 'lsof -i' - 'netstat -antup' - 'netstat -antpx' - 'netstat -tulpn' - 'arp -e' - 'route' # sensitive files - 'cat /etc/passwd' - 'cat /etc/group' - 'cat /etc/shadow' timeframe: 30m condition: keywords | count() by host > 6 falsepositives: - Troubleshooting on Linux Machines level: medium tags: - attack.privilege_escalation - attack.t1068
The idea of this Use Case is to detect multiple suspicious bash command in a limited time indicating the information gathering phase for the privilege escalation. Normally, this phase is automated or scripted but still the different performed commands can be monitored.
Use Case Testing with Splunk
The Use Case Testing is performed manually by running several suspicious commands in a short time. With the configuration from my previous blog article, all performed bash commands are sent to /var/log/messages, which is monitored using Splunk.
We can see that the Security Use Case was detecting the preparation for privilege escalation. Thank you for reading.