
Summary
This analytic detects the execution of the 'doas' tool on Linux systems using the Linux Audit daemon (Auditd). The 'doas' command allows standard users to execute commands as root, similar to 'sudo', which presents a potential risk if exploited. The detection focuses on audit logs to identify syscall events related to the 'doas' command. By capturing and analyzing process names and command-line executions, this rule alerts security personnel to possibly unauthorized privilege escalations. If the execution of 'doas' is confirmed as malicious, this could signify a significant threat, including unauthorized access to administrative functions and potential system compromise. It is crucial to have appropriate logging and techniques in place to filter false positives, as legitimate users may execute this command during regular operations.
Categories
- Linux
- Endpoint
Data Sources
- Kernel
- Process
ATT&CK Techniques
- T1548.003
- T1548
Created: 2024-11-13