Environment
- Enterprise EDR (was CB ThreatHunter)
Question
Can Enterprise EDR detect exploit of CVE-2021-3156?
Answer
Yes, use the following search which can also be added as a watchlist:
cmdline:sudoedit (cmdline:"-s" OR cmdline:"-i")
Additional Notes
CVE-2021-3156 identifies an exploit in the sudo library provided by the underlying OS that allows privilege escalation to root via a heap-based buffer overflow. Any linux server running a version of sudo prior to 1.9.5p2 is vulnerable.