Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some Images and one technique Added #5118

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Some Images and one technique Added #5118

wants to merge 2 commits into from

Conversation

CheraghiMilad
Copy link
Contributor

Summary of the Pull Request

Also we can use visudo command in terminal for read and edit /etc/sudoers file.

Changelog

visudo log

<Event>
  <System>
    <Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/>
    <EventID>1</EventID>
    <Version>5</Version>
    <Level>4</Level>
    <Task>1</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2024-12-10T10:01:49.201742000Z"/>
    <EventRecordID>386193</EventRecordID>
    <Correlation/>
    <Execution ProcessID="1252" ThreadID="1252"/>
    <Channel>Linux-Sysmon/Operational</Channel>
    <Computer>caldera-virtual-machine</Computer>
    <Security UserId="0"/>
  </System>
  <EventData>
    <Data Name="RuleName">-</Data>
    <Data Name="UtcTime">2024-12-08 20:35:46.938</Data>
    <Data Name="ProcessGuid">{36fe7a82-0322-6756-0505-eaadc3550000}</Data>
    <Data Name="ProcessId">11457</Data>
    <Data Name="Image">/usr/sbin/visudo</Data>
    <Data Name="FileVersion">-</Data>
    <Data Name="Description">-</Data>
    <Data Name="Product">-</Data>
    <Data Name="Company">-</Data>
    <Data Name="OriginalFileName">-</Data>
    <Data Name="CommandLine">visudo</Data>
    <Data Name="CurrentDirectory">/home/caldera</Data>
    <Data Name="User">root</Data>
    <Data Name="LogonGuid">{36fe7a82-0000-0000-0000-000000000000}</Data>
    <Data Name="LogonId">0</Data>
    <Data Name="TerminalSessionId">3</Data>
    <Data Name="IntegrityLevel">no level</Data>
    <Data Name="Hashes">SHA256=1e8af148369a5877f1445e53251ebcc655683802b1db11baf36358bcd7bac513</Data>
    <Data Name="ParentProcessGuid">{36fe7a82-0322-6756-d59b-5c043a560000}</Data>
    <Data Name="ParentProcessId">11456</Data>
    <Data Name="ParentImage">/usr/bin/sudo</Data>
    <Data Name="ParentCommandLine">sudo</Data>
    <Data Name="ParentUser">caldera</Data>
  </EventData>
</Event>

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Linux Pull request add/update linux related rules labels Dec 10, 2024
frack113
frack113 reviewed Dec 14, 2024
View reviewed changes
rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml
tags:
- attack.reconnaissance
- attack.t1592.004
logsource:
category: process_creation
product: linux
detection:
selection:
selection_1:
Image|endswith: '/visudo'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

visudo is the correct way to edit the file.
The purpose of the rule is to detect unusual access.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In some cases of adversaries Emulation, i use the visudo for reading the sudoers file, and my team can not detected it, my aim enrichment the rules for increase coverage.

@frack113 frack113 added the Author Input Required changes the require information from original author of the rules label Dec 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@frack113 frack113 frack113 left review comments

Assignees
No one assigned
Labels
Author Input Required changes the require information from original author of the rules Linux Pull request add/update linux related rules Rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@CheraghiMilad @frack113