Enterprise EDR: Can Enterprise EDR detect CVE-2021-3156 being exploited
Enterprise EDR (was CB ThreatHunter)
Can Enterprise EDR detect exploit of CVE-2021-3156?
Yes, use the following search which can also be added as a watchlist:
cmdline:sudoedit (cmdline:"-s" OR cmdline:"-i")
CVE-2021-3156 identifies an exploit in the sudo library provided by the underlying OS that allows privilege escalation to root via a heap-based buffer overflow. Any linux server running a version of sudo prior to 1.9.5p2 is vulnerable.