Rule: Detection of Unauthorized Creation of doas.conf File
Doas Conf File Creation
Query
DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith "doas.conf"About this query
Rule: Detection of Unauthorized Creation of doas.conf File
Description
This detection rule identifies attempts to create the doas.conf file on Linux systems. The doas.conf file is used by the doas command to provide a minimalistic alternative to sudo for privilege escalation. Unauthorized creation of this file could indicate malicious activity, such as an attempt to configure doas settings to gain elevated privileges.
This rule monitors for the creation of the doas.conf file, which is not typically created during standard operations. The presence of this file may indicate an attempt to set up unauthorized privilege escalation on the system.
Detection Logic
- Monitors
DeviceFileEventsfor events where:- The
ActionTypeis "FileCreated", and - The
FileNameends with "doas.conf".
- The
Tags
- File Events
- Privilege Escalation
- doas
- Linux Security
- Suspicious Activity
Search Query
Explanation
This query is designed to detect unauthorized attempts to create a specific configuration file, doas.conf, on Linux systems. The doas.conf file is associated with the doas command, which is an alternative to sudo for gaining elevated privileges. Creating this file without authorization could indicate malicious activity aimed at setting up unauthorized privilege escalation.
Key Points:
- Purpose: To identify the creation of the
doas.conffile, which could signal an attempt to gain unauthorized elevated privileges. - Monitored Events: The query looks at
DeviceFileEventsto find instances where:- The action type is "FileCreated".
- The file name ends with "doas.conf".
Tags:
- File Events
- Privilege Escalation
- doas
- Linux Security
- Suspicious Activity
Search Query:
DeviceFileEvents
| where ActionType == "FileCreated"
| where FileName endswith "doas.conf"
In simple terms, this query helps security teams detect when someone tries to create a potentially dangerous configuration file on a Linux system, which could be a sign of malicious intent.
Details

Ali Hussein
Released: July 8, 2024
Tables
Keywords
Operators