Attempted User Privilege Gain

The Attempted User Privilege Gain category of rule monitors for attackers trying to elevate privileges to an unauthorized level. An attacker who has access to a user account can make use of various types of system vulnerabilities to elevate her privileges and access data for which she is not authorized.

An example is the modification of the .rhosts file to allow global access rights, effectively removing access control for specific situations on the affected hosts. This Snort rule detects such Attempted User Privilege Gain activity:

alert tcp $EXTERNAL_NET any -> $HOME_NET 514
(msg:"RSERVICES rsh echo + +"; flow:to_server,established;
content: "echo |22|+ +|22|"; classtype:attempted-user;)

Attempted User Privilege ...

Get Intrusion Detection with Snort now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.