Detecting the Baron Samedit sudo attack
The buffer overflow attack dubbed Baron Samedit can result in privilege escalations on some of the most modern and widely used Linux operating systems. An unprivileged user can exploit this vulnerability to gain root privileges on a host by using a default sudo configuration.
You have Linux and Unix machines in your network and those machines have the sudo command. You need a proactive way to interrogate your servers and make a data-driven response to manage your threat surface.
Data required
How to use Splunk software for this use case
Depending on what information you have available, you might find it useful to identify some or all of the following:
Next steps
These searches give you a proactive way to interrogate your servers and make a data-driven response to manage your threat surface.
The content in this use case comes from a previously published blog, one of the thousands of Splunk resources available to help users succeed. These additional Splunk resources might help you understand and implement this specific use case:
- Conf Presentation: ATT&CKing Linux using SPL
- Blog: Hunting with Splunk: The basics (this is a series starting from this link)