auditd-suid-crash Scenario

« auditd-suid-crash »
v0.6 by crowdsecurity
Attack scenarioservice:linuxspoofable:0MITRE:T1548confidence:1

Detect root suid process crashing

Installation

cscli scenarios install crowdsecurity/auditd-suid-crash

Description

Attempt to detect a SUID binary that crashes with SIGILL, SIGTRAP, SIGABRT, SIGBUS, SIGSEGV.

It might be related to someone trying to exploit local privilege escalation such as CVE-2023-4911.

YAML Configuration

1type: conditional
2name: crowdsecurity/auditd-suid-crash
3description: "Detect root suid process crashing"
4filter: |
5  (evt.Meta.log_type == 'execve' && evt.Meta.euid == '0' && evt.Meta.auid != '0') ||
6  (evt.Meta.log_type == 'anom_abend' && evt.Meta.sig in ["4", "5", "6", "7", "11"])
7groupby: evt.Meta.pid
8distinct: evt.Meta.log_type
9condition: |
10  len(queue.Queue) >= 2 and 
11    queue.Queue[0].Meta.exe == queue.Queue[1].Meta.exe
12leakspeed: 1s
13capacity: -1
14blackhole: 1m
15labels:
16  confidence: 1
17  spoofable: 0
18  classification:
19    - attack.T1548.004
20  behavior: "linux:exploitation"
21  label: "Suspicious suid process crash"
22  service: linux
23  remediation: false
24scope:
25  type: exe
26  expression: evt.Meta.exe
27

Hub configuration

« auditd-suid-crash »v0.6 by crowdsecurityAttack scenarioservice:linuxspoofable:0MITRE:T1548confidence:1

« auditd-suid-crash »
v0.6 by crowdsecurity
Attack scenarioservice:linuxspoofable:0MITRE:T1548confidence:1