332. That's How Shai-Hulud 2.0 Escalate Privileges

Hello everyone!

I'm sure you already heard about Shai-Hulud, we even talked about it already, but let's look at the new version, and focus on privilege escalation tactic.

So, here's the report. Let's look at Figure 11. First, the adversary checks if passwordless sudo access is available:

sudo -n true

If not, it leverages Docker's privileged container access to mount the host filesystem and modify the sudoers configuration file:

docker run --rm --privileged -v /:/host ubuntu bash -c "cp /host/tmp/runner /host/etc/sudoers.d/runner"

Both can be good hunting opportunities! Let's start from sudo:

event_type: "processcreatenix"

AND

cmdline: "sudo -n true"

And for Docker abuse:

event_type: "processcreatenix"

AND

cmdline: ("docker" AND "run" AND "privileged" AND "cp" AND "sudoers.d")

See you tomorrow!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

324. Adversaries Use HideMouse to Hide Evidence of Remote Access