This artifact lists processes running as root that were spawns by processes that are not running as root. This kind of behavior is normal for things like sudo or su but for other processes (especially /bin/bash) it could represent a process launched via CVE-2021-4034.
The artifact looks for running processes with this property as well as search the auth log files for evidence of past execution of this exploit.
name: Linux.Detection.CVE20214034
description: |
This artifact lists processes running as root that were spawns by processes that are not
running as root. This kind of behavior is normal for things like sudo or su but for other
processes (especially /bin/bash) it could represent a process launched via CVE-2021-4034.
The artifact looks for running processes with this property as well as search the auth
log files for evidence of past execution of this exploit.
type: CLIENT
parameters:
- name: AcceptableParentExeRegex
description: A list of acceptable parent processes that are OK (unset to see all parents)
type: regex
default: ^(/usr/bin/sudo)
- name: AuthLogsGlob
default: /var/log/auth.log*
precondition:
SELECT OS From info() where OS = 'linux'
sources:
- query: |
SELECT Pid, Ppid, Cmdline, Exe, Uids, Username, {
SELECT Pid, Cmdline, Exe, Uids, Username
FROM pslist(pid=Ppid)
} AS Parent
FROM pslist()
WHERE Ppid
AND Username =~ "root"
AND Parent.Username != Username
AND if(condition=AcceptableParentExeRegex,
then=NOT Parent.Exe =~ AcceptableParentExeRegex,
else=TRUE)
- name: AuthLogs
query: |
SELECT * FROM foreach(row={
SELECT * FROM glob(globs=AuthLogsGlob)
}, query={
SELECT * FROM parse_lines(filename=FullPath)
WHERE Line =~ "pkexec.+The value for environment variable XAUTHORITY contains suscipious content"
})