Techniques
Sample rules
Detect Baron Samedit CVE-2021-3156 Segfault
- source: splunk
- technicques:
- T1068
Description
The following analytic identifies a heap-based buffer overflow in sudoedit by detecting Linux logs containing both “sudoedit” and “segfault” terms. This detection leverages Splunk to monitor for more than five occurrences of these terms on a single host within a specified timeframe. This activity is significant because exploiting this vulnerability (CVE-2021-3156) can allow attackers to gain root privileges, leading to potential system compromise, unauthorized access, and data breaches. If confirmed malicious, this could result in elevated privileges and full control over the affected system, posing a severe security risk.
Detection logic
`linux_hosts` TERM(sudoedit) TERM(segfault)
| stats count min(_time) as firstTime max(_time) as lastTime by host
| where count > 5
| `detect_baron_samedit_cve_2021_3156_segfault_filter`