notebook.community

Edit and run

Sudo Privilege Escalation CVE-2019-14287

Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287

Rule Content

- action: global
  title: Sudo Privilege Escalation CVE-2019-14287
  id: f74107df-b6c6-4e80-bf00-4170b658162b
  status: experimental
  description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
  references:
  - https://www.openwall.com/lists/oss-security/2019/10/14/1
  - https://access.redhat.com/security/cve/cve-2019-14287
  - https://twitter.com/matthieugarin/status/1183970598210412546
  author: Florian Roth
  date: 2019/10/15
  modified: 2019/10/20
  tags:
  - attack.privilege_escalation
  - attack.t1068
  - attack.t1169
  logsource:
    product: linux
    service: null
    category: null
  falsepositives:
  - Unlikely
  level: critical
- detection:
    selection_keywords:
    - '* -u#*'
    condition: selection_keywords
- detection:
    selection_user:
      USER:
      - '#-*'
      - '#*4294967295'
    condition: selection_user

Querying Elasticsearch

Import Libraries





In [ ]:



    


from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client





In [ ]:



    


es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')

Run Elasticsearch Query





In [ ]:



    


s = searchContext.query('query_string', query='*\ \-u#*')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))



    











In [ ]:



    


s = searchContext.query('query_string', query='USER.keyword:(#\-* OR #*4294967295)')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results





In [ ]:



    


df.head()

Content source: Cyb3rWard0g/HELK

Similar notebooks:

notebook.community | gallery | about