kqlElastic-2.0from elastic/detection-rules
Potential Privilege Escalation via Linux DAC permissions
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/linux/privilege_escalation_dac_permissions.toml
event.category:process and host.os.type:linux and event.type:start and event.action:exec and
(process.thread.capabilities.permitted:CAP_DAC_* or process.thread.capabilities.effective: CAP_DAC_*) and
process.command_line:(*/etc/sudoers* or */etc/passwd* or */etc/shadow* or */root/.ssh/* or /home/*/.ssh/*) and not (
user.id : "0" or
process.name : (
"tar" or "getent" or "su" or "stat" or "dirname" or "chown" or "sudo" or "dpkg-split" or "dpkg-deb" or "dpkg" or
"podman" or "awk" or "passwd" or "dpkg-maintscript-helper" or "mutt_dotlock" or "nscd" or "logger" or "gpasswd"
) or
process.executable : /usr/lib/*/lxc/rootfs/* or
process.parent.name : (
"dpkg" or "java" or *postinst or "dpkg-preconfigure" or "gnome-shell"
) or
process.parent.executable:(
"/opt/microsoft/mdatp/sbin/wdavdaemon" or "/usr/bin/podman" or "/bin/podman" or
/var/lib/awx/.local/share/containers/storage/overlay/* or ./merged/var/lib/awx/.local/share/containers/storage/overlay/* or
"/var/ossec/bin/wazuh-modulesd" or /home/*/.local/share/containers/storage/overlay/* or /snap/* or /dev/fd/* or /tmp/newroot/* or
"/usr/bin/google_guest_agent" or /var/lib/docker/overlay2/* or /var/lib/containers/* or "/usr/bin/gcc" or "/usr/bin/make" or "/usr/bin/ninja"
) or
process.parent.command_line:(*ansible* or "runc init")
)