Yara Rule - 권한 에스컬레이션이 루트에 허용 될 수있는 명령으로 sudoers 구성을 감지
Yara 정의.
Yara Rule - Detects sudoers config with commands which might allow privilege escalation to root
Yara definition.
Author: Arnim Rupp
https://gtfobins.github.io/
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
date = "2022-11-22"
modified = "2024-04-15"
score = 50
id = "221d90c8-e70e-5214-a03b-57ecabcdd480"
$command3 = "/ksh " ascii
$command4 = "/csh " ascii
$command5 = "/tcpdump " ascii
//$command6 = "/cat " ascii
//$command7 = "/head " ascii
$command8 = "/nano " ascii
$command9 = "/pico " ascii
$command10 = "/rview " ascii
$command11 = "/vi " ascii
$command12 = "/vim " ascii
$command13 = "/rvi " ascii
$command14 = "/rvim " ascii
//$command15 = "/more " ascii
$command16 = "/less " ascii
$command17 = "/dd " ascii
/* $command18 = "/mount " ascii prone to FPs */```
[https://github.com/Neo23x0/signature-base/commit/78fec3e9438bff691bd270d408af996b8252d75f](https://github.com/Neo23x0/signature-base/commit/78fec3e9438bff691bd270d408af996b8252d75f)