Yara Rule - 권한 에스컬레이션이 루트에 허용 될 수있는 명령으로 sudoers 구성을 감지 - Neo23x0

Yara Rule - 권한 에스컬레이션이 루트에 허용 될 수있는 명령으로 sudoers 구성을 감지

Yara 정의.

Yara Rule - Detects sudoers config with commands which might allow privilege escalation to root

Yara definition.

Author: Arnim Rupp

https://gtfobins.github.io/

license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
date = "2022-11-22"
modified = "2024-04-15"
score = 50
id = "221d90c8-e70e-5214-a03b-57ecabcdd480"
$command3 = "/ksh " ascii
$command4 = "/csh " ascii
$command5 = "/tcpdump " ascii
//$command6 = "/cat " ascii
//$command7 = "/head " ascii
$command8 = "/nano " ascii
$command9 = "/pico " ascii
$command10 = "/rview " ascii
$command11 = "/vi " ascii
$command12 = "/vim " ascii
$command13 = "/rvi " ascii
$command14 = "/rvim " ascii
//$command15 = "/more " ascii
$command16 = "/less " ascii
$command17 = "/dd " ascii
/* $command18 = "/mount " ascii prone to FPs */```


[https://github.com/Neo23x0/signature-base/commit/88b7d2a036aa1f628e9ccdd58eacf990dee58785](https://github.com/Neo23x0/signature-base/commit/88b7d2a036aa1f628e9ccdd58eacf990dee58785)