Detect Baron Samedit CVE-2021-3156

name: Detect Baron Samedit CVE-2021-3156
id: 93fbec4e-0375-440c-8db3-4508eca470c4
version: 8
date: '2026-03-10'
author: Shannon Davis, Splunk
status: experimental
type: TTP
description: The following analytic detects attempts to exploit the Baron Samedit vulnerability (CVE-2021-3156) by identifying the use of the "sudoedit -s \\" command. This detection leverages logs from Linux systems, specifically searching for instances of the sudoedit command with the "-s" flag followed by a double quote. This activity is significant because it indicates an attempt to exploit a known vulnerability that allows attackers to gain root privileges. If confirmed malicious, this could lead to complete system compromise, unauthorized access to sensitive data, and potential data breaches.
data_source: []
search: '`linux_hosts` "sudoedit -s \\" | `detect_baron_samedit_cve_2021_3156_filter`'
how_to_implement: Splunk Universal Forwarder running on Linux systems, capturing logs from the /var/log directory. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags.
known_false_positives: No false positives have been identified at this time.
references: []
rba:
    message: Potential Baron Samedit behavior on $dest$
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Baron Samedit CVE-2021-3156
    asset_type: Endpoint
    cve:
        - CVE-2021-3156
    mitre_attack_id:
        - T1068
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint