EXPLORE
Sign In
← Back to Explore
sigmalowTTP

Linux Doas Tool Execution

Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.

MITRE ATT&CK

T1548
defense-evasionprivilege-escalation

Detection Query

selection:
  Image|endswith: /doas
condition: selection

Author

Sittikorn S, Teoderick Contreras

Created

2022-01-20

Data Sources

linuxProcess Creation Events

Platforms

linux

References

Tags

attack.defense-evasionattack.privilege-escalationattack.t1548
Raw Content
title: Linux Doas Tool Execution
id: 067d8238-7127-451c-a9ec-fa78045b618b
status: stable
description: Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.
references:
    - https://research.splunk.com/endpoint/linux_doas_tool_execution/
    - https://www.makeuseof.com/how-to-install-and-use-doas/
author: Sittikorn S, Teoderick Contreras
date: 2022-01-20
tags:
    - attack.defense-evasion
    - attack.privilege-escalation
    - attack.t1548
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/doas'
    condition: selection
falsepositives:
    - Unlikely
level: low