← Library
splApache-2.0from splunk/security_content

Linux Auditd Doas Tool Execution

The following analytic detects the execution of the 'doas' tool on a Linux host. This tool allows standard users to perform tasks with root privileges, similar to 'sudo'. The detection leverages data from Linux Auditd, focusing on process names and command-line executions. This activity is significant as 'doas' can be exploited by adversaries to gain elevated privileges on a compromised host. If confirmed malicious, this could lead to unauthorized administrative access, potentially compromising the entire system.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_doas_tool_execution.yml
`linux_auditd` type=SYSCALL comm=doas
  | rename host as dest
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY comm exe syscall
       uid ppid pid
       success dest
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `linux_auditd_doas_tool_execution_filter`