Add DirtyFrag custom auditd attack data#1182
Conversation
|
@Axselll Hey, thanks for the contribution! Can you make sure you have |
I think i don't have |
|
Hello @ljstella. I have installed and configured |
|
@Axselll you will also have to include a new entry in the yaml file itself. datasets/attack_techniques/T1068/linux_dirtyfrag/linux_dirtyfrag.yml in the Also take a look at the actual PR i left some comments, once those are addressed we can proceed to merging/discarding this if needed. |
nasbench
left a comment
There was a problem hiding this comment.
We need this change in order to merge the PR on the other end
* Add Dirty Frag (CVE-2026-43284/43500) Linux kernel LPE detection Adds detection for Dirty Frag, a deterministic Linux kernel local privilege escalation disclosed May 7 2026 and exploited in the wild within 24 hours. Attaches to the existing Linux Privilege Escalation analytic story. Dirty Frag chains two kernel page-cache write vulnerabilities in the xfrm-ESP (CVE-2026-43284) and RxRPC (CVE-2026-43500) subsystems. It bypasses the Copy Fail mitigation (algif_aead blocklist) — environments that patched for Copy Fail remain fully exposed. Detection uses auditd session-scoped auid correlation to identify the universal exploitation pattern: ELF binary execution from a user-writable path followed by a confirmed privilege transition (euid=0, uid!=0) within the same audit session within 5 minutes. Validated against the public PoC (V4bel/dirtyfrag) in a sandboxed lab environment. Attack data: splunk/attack_data#1182 * Fix time field names in SPL * add more observed threat objects * Modify SPL for better search & time performance * Adjust SPL to match existing auditd configs present on Florian Roth repository * Fixing typo on how to implement section * Delete macros/linux_dirty_frag_kernel_privilege_escalation_filter.yml * Update linux_dirty_frag_kernel_privilege_escalation.yml * Update linux_dirty_frag_kernel_privilege_escalation.yml * Apply suggestions from code review Co-authored-by: Nasreddine Bencherchali <nbencher@cisco.com> * Update linux_dirty_frag_kernel_privilege_escalation.yml --------- Co-authored-by: axsel <anasahetapi99.com> Co-authored-by: Nasreddine Bencherchali <nbencher@cisco.com> Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
a custom attack data related to DirtyFrag tested on my environment