Detectionlowstable

Linux Doas Tool Execution

Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Sittikorn S, Teoderick ContrerasCreated Thu Jan 20067d8238-7127-451c-a9ec-fa78045b618blinux

Log Source

LinuxProcess Creation

ProductLinux← raw: linux

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: '/doas'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

067d8238-7127-451c-a9ec-fa78045b618b

Status

stable

Level

low

Type

Detection

Created

Thu Jan 20

Author

Path

rules/linux/process_creation/proc_creation_lnx_doas_execution.yml

Raw Tags

attack.defense-evasionattack.privilege-escalationattack.t1548