This is a proposal for SUID Enumeration Using Find #5071
Conversation
The idea is to detect in the auditd logs the execution of the find command (for example, $find -perm -u=ws ...) looking for binaries or scripts that can be executed with elevated privileges.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Welcome @mlakri 👋
It looks like this is your first pull request on the Sigma rules repository!
Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.
Thanks again, and welcome to the Sigma community! 😃
|
Hey @mlakri and thanks for your contribution. Can you please provide log data for your example. And also looking for specific permission isn't a direct sign of privilege escalation. It's just permission discovery, the outcome could be exfiltration, recon or privesc for privesc. So the metadata fro the rule (description and title) should reflect that. Please take this into consideration and make the necessary changes. |
nasbench
added
Work In Progress
mlakri
changed the title
|
Hello @nasbench |
This rule detects the deletion of existing Auditd rules
The goal is to detect the execution of the find command in auditd logs (e.g., $find /usr/bin -type f -perm -4001) when searching for binaries or scripts that can be executed with elevated privileges, or when used for reconnaissance to discover details about file permissions or access conditions to sensitive data.
Changelog
type=EXECVE msg=audit(1731503214.337:71048): argc=6 a0="find" a1="/usr/bin" a2="-type" a3="f" a4="-perm" a5="-4001"
Fixed Issues
SigmaHQ Rule Creation Conventions