1658334745, search_name="ESCU - Linux Sudo OR Su Execution - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 30, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 30, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1548.003\", \"T1548\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1548.003", annotations.mitre_attack="T1548", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-20T14:57:22", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-20T14:57:22", parent_process_id="29676", parent_process_name="sudo", process="apt install -y fishsticks", process_guid="{ec28c72e-17d2-62d8-9815-3aa400560000}", process_id="29677", process_name="apt", risk_message="A commandline apt install -y fishsticks that execute sudo or su in sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="9.0", savedsearch_description="This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", user="root"
1658334745, search_name="ESCU - Linux Sudo OR Su Execution - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 30, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 30, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1548.003\", \"T1548\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1548.003", annotations.mitre_attack="T1548", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-20T14:57:22", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-20T14:57:22", parent_process_id="29664", parent_process_name="bash", process="sudo apt install -y fishsticks", process_guid="{ec28c72e-17d2-62d8-088e-9992ae550000}", process_id="29676", process_name="sudo", risk_message="A commandline sudo apt install -y fishsticks that execute sudo or su in sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="9.0", savedsearch_description="This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", user="root"
1657719145, search_name="ESCU - Linux Sudo OR Su Execution - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 30, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 30, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1548.003\", \"T1548\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1548.003", annotations.mitre_attack="T1548", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-13T12:28:00", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T12:28:00", parent_process_id="11340", parent_process_name="bash", process="sudo apt install make clang-11 gcc libelf-dev bpftool", process_guid="{ec28c72e-ba50-62ce-080e-a2bcf7550000}", process_id="11398", process_name="sudo", risk_message="A commandline sudo apt install make clang-11 gcc libelf-dev bpftool that execute sudo or su in sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="9.0", savedsearch_description="This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", user="ubuntu"
1657719145, search_name="ESCU - Linux Sudo OR Su Execution - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 30, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 30, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1548.003\", \"T1548\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1548.003", annotations.mitre_attack="T1548", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-13T12:28:00", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-13T12:28:00", parent_process_id="11398", parent_process_name="sudo", process="apt install make clang-11 gcc libelf-dev bpftool", process_guid="{ec28c72e-ba50-62ce-98b5-13e2a7550000}", process_id="11399", process_name="apt", risk_message="A commandline apt install make clang-11 gcc libelf-dev bpftool that execute sudo or su in sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="9.0", savedsearch_description="This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", user="root"
1657646388, search_name="ESCU - Linux Service Restarted - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053.006\", \"T1053\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053.006", annotations.mitre_attack="T1053", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-12T15:54:54", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-12T15:54:54", parent_process_id="8975", parent_process_name="splunk", process="systemctl show SplunkForwarder --property=Type,ExecStart,LoadState,Restart,Delegate,ActiveState", process_guid="{ec28c72e-994e-62cd-d05c-33a4dc550000}", process_id="8995", process_name="systemctl", risk_message="A commandline systemctl show SplunkForwarder --property=Type,ExecStart,LoadState,Restart,Delegate,ActiveState that may create or start a service on sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="25.0", savedsearch_description="This analytic looks for restarted or re-enable services in linux platform. This technique can be executed or performed using systemctl or service tool application. Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Administrator may also create a legitimated service for a specific tool or normal application as part of task or automation, in this scenario it is suggested to look for the service path of the actual script or executable that register as service and who created the service for further verification.", user="root"
1657646388, search_name="ESCU - Linux Service Restarted - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053.006\", \"T1053\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053.006", annotations.mitre_attack="T1053", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-12T15:54:54", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-12T15:54:54", parent_process_id="8975", parent_process_name="splunk", process="systemctl show SplunkForwarder --property=Type,ExecStart,LoadState,Restart,Delegate,ActiveState", process_guid="{ec28c72e-994e-62cd-d00c-9ac605560000}", process_id="8976", process_name="systemctl", risk_message="A commandline systemctl show SplunkForwarder --property=Type,ExecStart,LoadState,Restart,Delegate,ActiveState that may create or start a service on sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="25.0", savedsearch_description="This analytic looks for restarted or re-enable services in linux platform. This technique can be executed or performed using systemctl or service tool application. Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Administrator may also create a legitimated service for a specific tool or normal application as part of task or automation, in this scenario it is suggested to look for the service path of the actual script or executable that register as service and who created the service for further verification.", user="root"
1657643545, search_name="ESCU - Linux Sudo OR Su Execution - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 30, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 30, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1548.003\", \"T1548\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1548.003", annotations.mitre_attack="T1548", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-12T15:45:35", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-12T15:45:35", parent_process_id="7853", parent_process_name="bash", process="sudo su", process_guid="{ec28c72e-971f-62cd-089e-4d9225560000}", process_id="8859", process_name="sudo", risk_message="A commandline sudo su that execute sudo or su in sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="9.0", savedsearch_description="This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", user="ubuntu"
1657643545, search_name="ESCU - Linux Sudo OR Su Execution - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 30, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 30, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1548.003\", \"T1548\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1548.003", annotations.mitre_attack="T1548", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-12T15:44:36", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-12T15:44:36", parent_process_id="7853", parent_process_name="bash", process="sudo su", process_guid="{ec28c72e-96e4-62cd-089e-eddc19560000}", process_id="8748", process_name="sudo", risk_message="A commandline sudo su that execute sudo or su in sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="9.0", savedsearch_description="This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", user="ubuntu"
1657643545, search_name="ESCU - Linux Sudo OR Su Execution - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 30, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 30, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1548.003\", \"T1548\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1548.003", annotations.mitre_attack="T1548", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-12T15:09:03", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-12T15:09:03", parent_process_id="7853", parent_process_name="bash", process="sudo su", process_guid="{ec28c72e-8e8f-62cd-089e-6ae659550000}", process_id="8432", process_name="sudo", risk_message="A commandline sudo su that execute sudo or su in sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="9.0", savedsearch_description="This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", user="ubuntu"
1657643545, search_name="ESCU - Linux Sudo OR Su Execution - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 30, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 30, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1548.003\", \"T1548\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1548.003", annotations.mitre_attack="T1548", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-12T15:45:35", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-12T15:45:35", parent_process_id="8859", parent_process_name="sudo", process="su", process_guid="{ec28c72e-971f-62cd-885d-fdd16d550000}", process_id="8860", process_name="su", risk_message="A commandline su that execute sudo or su in sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="9.0", savedsearch_description="This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", user="root"
1657643545, search_name="ESCU - Linux Sudo OR Su Execution - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 30, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 30, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1548.003\", \"T1548\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1548.003", annotations.mitre_attack="T1548", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-12T15:44:36", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-12T15:44:36", parent_process_id="8748", parent_process_name="sudo", process="su", process_guid="{ec28c72e-96e4-62cd-885d-0ce0cc550000}", process_id="8749", process_name="su", risk_message="A commandline su that execute sudo or su in sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="9.0", savedsearch_description="This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", user="root"
1657643545, search_name="ESCU - Linux Sudo OR Su Execution - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 30, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 30, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1548.003\", \"T1548\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1548.003", annotations.mitre_attack="T1548", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-12T15:09:03", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-12T15:09:03", parent_process_id="8432", parent_process_name="sudo", process="su", process_guid="{ec28c72e-8e8f-62cd-889d-a67f9e550000}", process_id="8433", process_name="su", risk_message="A commandline su that execute sudo or su in sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="9.0", savedsearch_description="This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", user="root"
1657643545, search_name="ESCU - Linux Sudo OR Su Execution - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 30, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 30, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1548.003\", \"T1548\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1548.003", annotations.mitre_attack="T1548", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-12T14:50:06", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-12T14:50:06", parent_process_id="7890", parent_process_name="sudo", process="apt install -y auditd", process_guid="{ec28c72e-8a1e-62cd-98d5-07bf2d560000}", process_id="7891", process_name="apt", risk_message="A commandline apt install -y auditd that execute sudo or su in sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="9.0", savedsearch_description="This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", user="root"
1657643545, search_name="ESCU - Linux Sudo OR Su Execution - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 30, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 30, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1548.003\", \"T1548\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1548.003", annotations.mitre_attack="T1548", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-12T15:45:35", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-12T15:45:35", parent_process_id="8860", parent_process_name="su", process="bash", process_guid="{ec28c72e-971f-62cd-4894-cf1d0e560000}", process_id="8862", process_name="bash", risk_message="A commandline bash that execute sudo or su in sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="9.0", savedsearch_description="This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", user="root"
1657643545, search_name="ESCU - Linux Sudo OR Su Execution - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 30, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 30, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1548.003\", \"T1548\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1548.003", annotations.mitre_attack="T1548", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-12T15:44:36", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-12T15:44:36", parent_process_id="8749", parent_process_name="su", process="bash", process_guid="{ec28c72e-96e4-62cd-4844-16a441560000}", process_id="8750", process_name="bash", risk_message="A commandline bash that execute sudo or su in sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="9.0", savedsearch_description="This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", user="root"
1657643545, search_name="ESCU - Linux Sudo OR Su Execution - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 30, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 30, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1548.003\", \"T1548\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1548.003", annotations.mitre_attack="T1548", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-12T15:09:03", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-12T15:09:03", parent_process_id="8433", parent_process_name="su", process="bash", process_guid="{ec28c72e-8e8f-62cd-4844-140619560000}", process_id="8434", process_name="bash", risk_message="A commandline bash that execute sudo or su in sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="9.0", savedsearch_description="This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", user="root"
1657643545, search_name="ESCU - Linux Sudo OR Su Execution - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 30, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 30, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1548.003\", \"T1548\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1548.003", annotations.mitre_attack="T1548", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-12T14:50:06", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-12T14:50:06", parent_process_id="7872", parent_process_name="bash", process="sudo apt install -y auditd", process_guid="{ec28c72e-8a1e-62cd-080e-e59e71550000}", process_id="7890", process_name="sudo", risk_message="A commandline sudo apt install -y auditd that execute sudo or su in sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="9.0", savedsearch_description="This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", user="root"
1657642788, search_name="ESCU - Linux Service Restarted - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053.006\", \"T1053\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053.006", annotations.mitre_attack="T1053", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-12T15:41:18", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-12T15:41:18", parent_process_id="8604", parent_process_name="splunk", process="systemctl show SplunkForwarder --property=Type,ExecStart,LoadState,Restart,Delegate,ActiveState", process_guid="{ec28c72e-961e-62cd-d0fc-a93cf4550000}", process_id="8638", process_name="systemctl", risk_message="A commandline systemctl show SplunkForwarder --property=Type,ExecStart,LoadState,Restart,Delegate,ActiveState that may create or start a service on sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="25.0", savedsearch_description="This analytic looks for restarted or re-enable services in linux platform. This technique can be executed or performed using systemctl or service tool application. Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Administrator may also create a legitimated service for a specific tool or normal application as part of task or automation, in this scenario it is suggested to look for the service path of the actual script or executable that register as service and who created the service for further verification.", user="root"
1657639945, search_name="ESCU - Linux Sudo OR Su Execution - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 30, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 30, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1548.003\", \"T1548\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1548.003", annotations.mitre_attack="T1548", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-12T14:44:00", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-12T14:44:00", parent_process_id="7853", parent_process_name="bash", process="sudo su", process_guid="{ec28c72e-88b0-62cd-08ae-aa6c6c550000}", process_id="7870", process_name="sudo", risk_message="A commandline sudo su that execute sudo or su in sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="9.0", savedsearch_description="This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", user="ubuntu"
1657639945, search_name="ESCU - Linux Sudo OR Su Execution - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 30, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 30, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1548.003\", \"T1548\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1548.003", annotations.mitre_attack="T1548", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-12T14:44:00", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-12T14:44:00", parent_process_id="7870", parent_process_name="sudo", process="su", process_guid="{ec28c72e-88b0-62cd-88ad-05f06b550000}", process_id="7871", process_name="su", risk_message="A commandline su that execute sudo or su in sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="9.0", savedsearch_description="This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", user="root"
1657639945, search_name="ESCU - Linux Sudo OR Su Execution - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 30, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 30, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1548.003\", \"T1548\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1548.003", annotations.mitre_attack="T1548", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-12T14:44:00", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-12T14:44:00", parent_process_id="7871", parent_process_name="su", process="bash", process_guid="{ec28c72e-88b0-62cd-48d4-07033d560000}", process_id="7872", process_name="bash", risk_message="A commandline bash that execute sudo or su in sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="9.0", savedsearch_description="This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", user="root"
1657222345, search_name="ESCU - Linux Sudo OR Su Execution - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 30, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 30, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1548.003\", \"T1548\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1548.003", annotations.mitre_attack="T1548", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-07T18:49:47", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-07T18:49:47", parent_process_id="21865", parent_process_name="bash", process="sudo su", process_guid="{ec28c72e-2acb-62c7-08fe-eb7120560000}", process_id="21882", process_name="sudo", risk_message="A commandline sudo su that execute sudo or su in sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="9.0", savedsearch_description="This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", user="ubuntu"
1657222345, search_name="ESCU - Linux Sudo OR Su Execution - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 30, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 30, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1548.003\", \"T1548\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1548.003", annotations.mitre_attack="T1548", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-07T18:49:47", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-07T18:49:47", parent_process_id="21882", parent_process_name="sudo", process="su", process_guid="{ec28c72e-2acb-62c7-886d-e0a8c9550000}", process_id="21883", process_name="su", risk_message="A commandline su that execute sudo or su in sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="9.0", savedsearch_description="This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", user="root"
1657222345, search_name="ESCU - Linux Sudo OR Su Execution - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 30, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 30, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1548.003\", \"T1548\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1548.003", annotations.mitre_attack="T1548", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-07T18:49:47", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-07T18:49:47", parent_process_id="21883", parent_process_name="su", process="bash", process_guid="{ec28c72e-2acb-62c7-4864-8d84f4550000}", process_id="21884", process_name="bash", risk_message="A commandline bash that execute sudo or su in sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="9.0", savedsearch_description="This analytic is to detect the execution of sudo or su command in linux operating system. The \"sudo\" command allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This command is commonly abused by adversaries, malware author and red teamers to elevate privileges to the targeted host. This command can be executed by administrator for legitimate purposes or to execute process that need admin privileges, In this scenario filter is needed.", user="root"
1657099188, search_name="ESCU - Linux Service Restarted - Rule", analyticstories="Linux Persistence Techniques", analyticstories="Linux Privilege Escalation", annotations="{\"analytic_story\": [\"Linux Privilege Escalation\", \"Linux Persistence Techniques\"], \"cis20\": [\"CIS 3\", \"CIS 5\", \"CIS 16\"], \"confidence\": 50, \"context\": [\"Source:Endpoint\", \"Stage:Privilege Escalation\", \"Stage:Persistence\"], \"impact\": 50, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1053.006\", \"T1053\"], \"nist\": [\"DE.CM\"], \"observable\": [{\"name\": \"dest\", \"role\": [\"Victim\"], \"type\": \"Hostname\"}]}", annotations.analytic_story="Linux Privilege Escalation", annotations.analytic_story="Linux Persistence Techniques", annotations.cis20="CIS 3", annotations.cis20="CIS 5", annotations.cis20="CIS 16", annotations.context="Source:Endpoint", annotations.context="Stage:Privilege Escalation", annotations.context="Stage:Persistence", annotations.kill_chain_phases="Exploitation", annotations.mitre_attack="T1053.006", annotations.mitre_attack="T1053", annotations.nist="DE.CM", count="1", dest="sysmonlinux-mhaag-attack-range-8786", firstTime="2022-07-06T08:34:47", info_max_time="+Infinity", info_min_time="0.000", lastTime="2022-07-06T08:34:47", parent_process_id="2080", parent_process_name="snapd", process="systemctl daemon-reload", process_guid="{ec28c72e-4927-62c5-d0cc-de9215560000}", process_id="18045", process_name="systemctl", risk_message="A commandline systemctl daemon-reload that may create or start a service on sysmonlinux-mhaag-attack-range-8786", risk_object="sysmonlinux-mhaag-attack-range-8786", risk_object_type="system", risk_score="25.0", savedsearch_description="This analytic looks for restarted or re-enable services in linux platform. This technique can be executed or performed using systemctl or service tool application. Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Administrator may also create a legitimated service for a specific tool or normal application as part of task or automation, in this scenario it is suggested to look for the service path of the actual script or executable that register as service and who created the service for further verification.", user="root"