Name:Detect Baron Samedit CVE-2021-3156 id:93fbec4e-0375-440c-8db3-4508eca470c4 version:4 date:2024-10-17 author:Shannon Davis, Splunk status:experimental type:TTP Description:The following analytic detects attempts to exploit the Baron Samedit vulnerability (CVE-2021-3156) by identifying the use of the "sudoedit -s \\" command. This detection leverages logs from Linux systems, specifically searching for instances of the sudoedit command with the "-s" flag followed by a double quote. This activity is significant because it indicates an attempt to exploit a known vulnerability that allows attackers to gain root privileges. If confirmed malicious, this could lead to complete system compromise, unauthorized access to sensitive data, and potential data breaches. Data_source:
how_to_implement:Splunk Universal Forwarder running on Linux systems, capturing logs from the /var/log directory. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags. known_false_positives:unknown References: drilldown_searches:
: tags: analytic_story: - 'Baron Samedit CVE-2021-3156' asset_type:Endpoint confidence:50 cve: - 'CVE-2021-3156' impact:50 message:tbd mitre_attack_id: - 'T1068' observable: name:'dest' type:'Other' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' risk_score:25 security_domain:endpoint
