Linux.Detection.CVE20214034

This artifact lists processes running as root that were spawns by processes that are not running as root. This kind of behavior is normal for things like sudo or su but for other processes (especially /bin/bash) it could represent a process launched via CVE-2021-4034.

The artifact looks for running processes with this property as well as search the auth log files for evidence of past execution of this exploit.

name: Linux.Detection.CVE20214034
description: |
   This artifact lists processes running as root that were spawns by processes that are not
   running as root. This kind of behavior is normal for things like sudo or su but for other
   processes (especially /bin/bash) it could represent a process launched via CVE-2021-4034.

   The artifact looks for running processes with this property as well as search the auth
   log files for evidence of past execution of this exploit.

type: CLIENT

parameters:
   - name: AcceptableParentExeRegex
     description: A list of acceptable parent processes that are OK (unset to see all parents)
     type: regex
     default: ^(/usr/bin/sudo)
   - name: AuthLogsGlob
     default: /var/log/auth.log*

precondition:
    SELECT OS From info() where OS = 'linux'

sources:
  - query: |
        SELECT Pid, Ppid, Cmdline, Exe, Uids, Username, {
            SELECT Pid, Cmdline, Exe, Uids, Username
            FROM pslist(pid=Ppid)
        } AS Parent
        FROM pslist()
        WHERE Ppid 
          AND Username =~ "root"
          AND Parent.Username != Username
          AND if(condition=AcceptableParentExeRegex,
                 then=NOT Parent.Exe =~ AcceptableParentExeRegex,
                 else=TRUE)
  - name: AuthLogs
    query: |
       SELECT * FROM foreach(row={
         SELECT * FROM glob(globs=AuthLogsGlob)
       }, query={
           SELECT * FROM parse_lines(filename=FullPath)
           WHERE Line =~ "pkexec.+The value for environment variable XAUTHORITY contains suscipious content"
       })

comments powered by Disqus