This artifact searches for potential privilege escalation indicators on Linux systems. It identifies processes running as root that were spawned by processes not running as root, which could indicate unauthorized privilege escalation. Created by Leonardo Grossi.
name: Linux.PrivilegeEscalationDetection
description: |
This artifact searches for potential privilege escalation indicators on Linux systems. It identifies processes running as root that were spawned by processes not running as root, which could indicate unauthorized privilege escalation. Created by Leonardo Grossi.
type: CLIENT
precondition:
SELECT OS FROM info() WHERE OS = 'linux'
sources:
- name: SUIDBins
query: |
SELECT * FROM glob(globs="/usr/bin/*", exclude="*.txt")
WHERE (
Mode =~ "....s" OR
Mode =~ "...S." OR
Mode =~ "..s.." OR
Mode =~ "..S..."
)
- name: WritableShadowFile
query: |
SELECT * FROM glob(globs="/etc/shadow")
WHERE (
Mode =~ ".....rw" OR
Mode =~ ".....w."
)
- name: WritablePasswdFile
query: |
SELECT * FROM glob(globs="/etc/passwd")
WHERE (
Mode =~ ".....rw" OR
Mode =~ ".....w."
)
- name: SudoersFilePermissions
query: |
SELECT * FROM glob(globs="/etc/sudoers")
WHERE (
Mode =~ "..-...r." OR
Mode =~ "..-....r"
)
- name: SudoProcesses
query: |
SELECT * FROM pslist()
WHERE (
Cmdline =~ "^sudo" OR
Cmdline =~ "^su -c sudo"
)
- name: ParentProcess
query: |
SELECT Pid, Ppid, Cmdline, Exe, Uids, Username, {
SELECT Pid, Cmdline, Exe, Uids, Username
FROM pslist(pid=Ppid)
} AS Parent
FROM pslist()
WHERE Ppid
AND Username =~ "root"
AND Parent.Username != Username