Adversaries may create a doas.conf file to configure privilege escalation through the doas utility, leveraging T1548 to gain unauthorized access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential privilege escalation attempts and mitigate lateral movement risks.
Detection Rule
title: Linux Doas Conf File Creation
id: 00eee2a5-fdb0-4746-a21d-e43fbdea5681
status: stable
description: Detects the creation of doas.conf file in linux host platform.
references:
- https://research.splunk.com/endpoint/linux_doas_conf_file_creation/
- https://www.makeuseof.com/how-to-install-and-use-doas/
author: Sittikorn S, Teoderick Contreras
date: 2022-01-20
modified: 2022-12-31
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1548
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|endswith: '/etc/doas.conf'
condition: selection
falsepositives:
- Unlikely
level: medium
imFileEvent
| where TargetFileName endswith "/etc/doas.conf"Scenario: System administrator creates doas.conf as part of a standard user setup for a new user.
Filter/Exclusion: Check for the presence of useradd or usermod in the same log entry, or filter by user root or admin.
Scenario: A legitimate system update or package installation creates doas.conf as part of the installation process.
Filter/Exclusion: Filter events where the file is created in a known package installation directory (e.g., /usr/local/etc/doas.conf), or check for the presence of apt, yum, or dnf in the log.
Scenario: A scheduled job or cron task generates a temporary doas.conf file for testing or configuration purposes.
Filter/Exclusion: Filter by the presence of cron or crontab in the log, or check for a temporary file path (e.g., /tmp/doas.conf).
Scenario: A developer or DevOps engineer manually creates doas.conf to configure privilege escalation for a specific application or service.
Filter/Exclusion: Filter by the presence of doas in the log, or check for a known service configuration directory (e.g., /opt/app/etc/doas.conf).
Scenario: A security tool or configuration management system (e.g., Ansible, Puppet) creates doas.conf as part of an automated configuration push.
Filter/Exclusion: Filter by the presence of configuration management tool names (e.g., ansible, puppet, chef) in the log, or check for a known configuration directory (e.g., /etc/doas.conf).