review pass: fidelity + credits + count consistency for ported modules

Three-agent rigorous review of the dirtydecrypt + fragnesia ports plus repo-wide doc consistency, followed by a full Linux build verification. dirtydecrypt (NOTICE + detection rules): - NOTICE.md: removed an unsupported "Zellic co-founder" detail and a fabricated disclosure-date narrative; tightened phrasing of the Zellic + V12 credit; noted that upstream poc.c carries no author/license header of its own. - Embedded auditd + sigma rules and detect/sigma.yml broadened to cover every binary in dd_targets[] (added /usr/bin/mount, /usr/bin/passwd, /usr/bin/chsh) and added the b32 splice rule, so the embedded ruleset matches the on-disk reference and the carrier list the exploit actually targets. - Exploit primitive verified byte-for-byte against the V12 PoC (tiny_elf[] identical, all rxgk/XDR/fire/pagecache_write logic token-identical). docker gcc:latest compile of the Linux path: COMPILE_OK, zero warnings. fragnesia: review found no defects. Exploit primitive byte-identical to the V12 PoC (shell_elf[] 192 bytes identical, AF_ALG GCM keystream table + userns/netns/XFRM + receiver/sender/run_trigger_pair all faithful). The deliberate omissions (ANSI TUI, CLI arg parsing) drop nothing exploit-critical. docker gcc:latest compile: COMPILE_OK; full project build links into a working skeletonkey ELF and --list shows the module registered correctly. Repo docs (README.md / CVES.md / ROADMAP.md): - Chose to keep "28 verified" as the headline; the two ported modules are represented as a separate clearly-labelled tier ("ported-but-unverified") that is explicitly excluded from the 28-module verified counts. README + CVES.md + ROADMAP.md now tell one consistent story. - Filled a pre-existing documentation gap: sudo_samedit, sequoia, sudoedit_editor, vmwgfx were registered + built but absent from CVES.md's inventory + operations tables. Added rows synthesized from each module's .cve / .summary / .kernel_range fields. - ROADMAP Phase 8 "7 🟡 PRIMITIVE modules" → "14"; added a "Landed since v0.1.0" group; moved vmwgfx out of the stale carry-overs. docs site (docs/index.html): - Stat box "28 / total modules" → "28 / verified modules" (the 14+14 breakdown now sums to the headline consistently). - Terminal example "scanning 28 modules" → "scanning 30 modules" (was factually wrong — the binary literally prints module_count() which is 30). - Status line: updated to mention the 2 ported-but-unverified modules and mirror the README phrasing. - docs/LAUNCH.md left as a dated v0.5.0 launch snapshot. Build verification: `docker run gcc:latest make clean && make` — links into a 30-module skeletonkey ELF on Linux. macOS dev box still hits the pre-existing dirty_pipe header gap; unchanged. .gitignore: added /skeletonkey to exclude the top-level build artifact (the existing modules/*/skeletonkey only covered per-module binaries; the root one was getting picked up by `git add -A`).
2026-05-22 18:41:37 -04:00
parent a8c8d5ef1f
commit ac557b67d0
8 changed files with 90 additions and 33 deletions
@@ -6,6 +6,7 @@ build/
 modules/*/build/
 modules/*/dirtyfail
 modules/*/skeletonkey
+/skeletonkey
 .vscode/
 .idea/
 *.swp
@@ -23,14 +23,19 @@ Status legend:
 - 🔴 **DEPRECATED** — fully patched everywhere relevant; kept for
  historical reference only

-**Counts:** 🟢 13 · 🟡 13 · 🔵 0 · ⚪ 0 · 🔴 0
+**Counts:** 30 modules total — 28 verified (🟢 14 · 🟡 14) plus 2
+ported-but-unverified (`dirtydecrypt`, `fragnesia` — see note below).
+🔵 0 · ⚪ 0 planned-with-stub · 🔴 0. (One ⚪ row below — CVE-2026-31402
+— is a *candidate* with no module, not counted as a module.)

 > **Note on `dirtydecrypt` / `fragnesia`:** these two are ported from
-> public PoCs and are **not yet VM-verified** end-to-end. They are
-> marked 🟡 but differ from the other 🟡 modules — they are
-> self-contained page-cache writes (no `--full-chain` finisher), and
-> their `detect()` is precondition-only because the CVE fix commits are
-> not yet pinned. See each module's `MODULE.md`.
+> public V12 PoCs and are **not yet VM-verified** end-to-end. They are
+> listed 🟡 in the table below but are **not** part of the 28-module
+> verified corpus — they differ from the other 🟡 modules in two ways:
+> they are self-contained page-cache writes (no `--full-chain`
+> finisher), and their `detect()` is precondition-only because the CVE
+> fix commits are not yet pinned. `--auto` will not fire them blind.
+> See each module's `MODULE.md`.

 Every module ships a `NOTICE.md` crediting the original CVE
 reporter and PoC author. `skeletonkey --dump-offsets` populates the
@@ -66,6 +71,10 @@ root on a host can upstream their kernel's offsets via PR.
 | CVE-2023-4622 | AF_UNIX garbage-collector race UAF | LPE (slab UAF, plain unprivileged) | mainline 6.6-rc1 (Aug 2023) | `af_unix_gc` | 🟡 | Lin Ma. Two-thread race driver: SCM_RIGHTS cycle vs unix_gc trigger; kmalloc-512 (SLAB_TYPESAFE_BY_RCU) refill via msg_msg. **Widest deployment of any module — bug exists since 2.x.** No userns required. Branch backports: 4.14.326 / 4.19.295 / 5.4.257 / 5.10.197 / 5.15.130 / 6.1.51 / 6.5.0. |
 | CVE-2022-25636 | nft_fwd_dup_netdev_offload heap OOB | LPE (kernel R/W via offload action[] OOB) | mainline 5.17 / 5.16.11 (Feb 2022) | `nft_fwd_dup` | 🟡 | Aaron Adams (NCC). NFT_CHAIN_HW_OFFLOAD chain + 16 immediates + fwd writes past action.entries[1]. msg_msg kmalloc-512 spray. Branch backports: 5.4.181 / 5.10.102 / 5.15.25 / 5.16.11. |
 | CVE-2023-0179 | nft_payload set-id memory corruption | LPE (regs->data[] OOB R/W) | mainline 6.2-rc4 / 6.1.6 (Jan 2023) | `nft_payload` | 🟡 | Davide Ornaghi. NFTA_SET_DESC variable-length element + NFTA_SET_ELEM_EXPRESSIONS payload-set whose verdict.code drives the OOB. Dual cg-96 + 1k spray. Branch backports: 4.14.302 / 4.19.269 / 5.4.229 / 5.10.163 / 5.15.88 / 6.1.6. |
+| CVE-2021-3156 | sudo Baron Samedit — `sudoedit -s` heap overflow | LPE (userspace setuid sudo) | sudo 1.9.5p2 (Jan 2021) | `sudo_samedit` | 🟡 | Qualys Baron Samedit. Heap overflow via `sudoedit -s '\'` escaped-backslash parsing. Affects sudo 1.8.2 ≤ V ≤ 1.9.5p1. Heap-tuned exploit — may crash sudo on a mismatched layout. Ships auditd + sigma rules. |
+| CVE-2021-33909 | Sequoia — `seq_file` size_t overflow → kernel stack OOB | LPE (kernel stack OOB write) | mainline 5.13.4 / 5.10.52 / 5.4.134 (Jul 2021) | `sequoia` | 🟡 | Qualys Sequoia. `size_t`-to-`int` conversion in `seq_file` drives an OOB write off the kernel stack via a deeply-nested directory mount. Primitive-only — fires the overflow + records a witness; no portable cred chain. Branch backports: 5.13.4 / 5.10.52 / 5.4.134. Ships auditd rule. |
+| CVE-2023-22809 | sudoedit `EDITOR`/`VISUAL` `--` argv escape | LPE (userspace setuid sudoedit) | sudo 1.9.12p2 (Jan 2023) | `sudoedit_editor` | 🟢 | Structural argv-injection — an extra `--` in `EDITOR`/`VISUAL` makes setuid `sudoedit` open an attacker-chosen file as root. No kernel state, no offsets, no race. Affects sudo 1.8.0 ≤ V < 1.9.12p2. Ships auditd + sigma rules. |
+| CVE-2023-2008 | vmwgfx DRM buffer-object size-validation OOB | LPE (kernel R/W via kmalloc-512 OOB) | mainline 6.3-rc6 (Apr 2023) | `vmwgfx` | 🟡 | vmwgfx DRM `bo` size-validation gap → OOB write in kmalloc-512. Affects 4.0 ≤ K < 6.3-rc6 on hosts with the `vmwgfx` module loaded (VMware guests). Primitive-only — fires the OOB + slab witness; no cred chain. Branch backports: 6.2.10 / 6.1.23. Ships auditd rule. |
 | CVE-2026-31635 | DirtyDecrypt / DirtyCBC — rxgk missing-COW in-place decrypt | LPE (page-cache write into a setuid binary) | duplicate of an already-patched mainline flaw (fix commit not yet pinned) | `dirtydecrypt` | 🟡 | **Ported from the public V12 PoC, not yet VM-verified.** Sibling of Copy Fail / Dirty Frag in the rxgk (AFS rxrpc encryption) subsystem. `fire()` sliding-window page-cache write, ~256 fires/byte; rewrites the first 120 bytes of `/usr/bin/su` with a setuid-shell ELF. `--active` probe fires the primitive at a `/tmp` sentinel. detect() is precondition-only — see MODULE.md. x86_64. |
 | CVE-2026-46300 | Fragnesia — XFRM ESP-in-TCP `skb_try_coalesce` SHARED_FRAG loss | LPE (page-cache write into a setuid binary) | distro patches 2026-05-13; mainline fix followed (commit not yet pinned) | `fragnesia` | 🟡 | **Ported from the public V12 PoC, not yet VM-verified.** Latent bug exposed by the Dirty Frag fix (`f4c50a4034e6`). AF_ALG GCM keystream table + userns/netns + XFRM ESP-in-TCP splice trigger pair; rewrites the first 192 bytes of `/usr/bin/su`. Needs `CONFIG_INET_ESPINTCP` + unprivileged userns (the in-scope question the old `_stubs/fragnesia_TBD` raised — resolved: ships, reports PRECOND_FAIL when the userns gate is closed). PoC's ANSI TUI dropped in the port. x86_64. |

@@ -99,6 +108,10 @@ Symbols: ✓ = supported, — = not applicable / no automated path.
 | af_unix_gc | ✓ | ✓ (race) | — (upgrade kernel) | ✓ (queue drain) | ✓ (auditd) |
 | nft_fwd_dup | ✓ | ✓ (primitive) | — (upgrade kernel) | ✓ (queue drain) | ✓ (auditd) |
 | nft_payload | ✓ | ✓ (primitive) | — (upgrade kernel) | ✓ (queue drain) | ✓ (auditd + sigma) |
+| sudo_samedit | ✓ | ✓ (primitive) | — (upgrade sudo) | ✓ (crumb nuke) | ✓ (auditd + sigma) |
+| sequoia | ✓ | ✓ (primitive) | — (upgrade kernel) | ✓ (nested-tree + mount teardown) | ✓ (auditd) |
+| sudoedit_editor | ✓ | ✓ | — (upgrade sudo) | ✓ (revert written file) | ✓ (auditd + sigma) |
+| vmwgfx | ✓ | ✓ (primitive) | — (upgrade kernel) | ✓ (log unlink) | ✓ (auditd) |
 | dirtydecrypt | ✓ (+ `--active`) | ✓ (ported) | — (upgrade kernel) | ✓ (evict page cache) | ✓ (auditd + sigma) |
 | fragnesia | ✓ (+ `--active`) | ✓ (ported) | — (upgrade kernel) | ✓ (evict page cache) | ✓ (auditd + sigma) |

@@ -2,11 +2,12 @@

 [![Latest release](https://img.shields.io/github/v/release/KaraZajac/SKELETONKEY?label=release)](https://github.com/KaraZajac/SKELETONKEY/releases/latest)
 [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
-[![Modules](https://img.shields.io/badge/modules-28-brightgreen.svg)](CVES.md)
+[![Modules](https://img.shields.io/badge/modules-28%20verified%20%2B%202%20ported-brightgreen.svg)](CVES.md)
 [![Platform: Linux](https://img.shields.io/badge/platform-linux-lightgrey.svg)](#)

-> **One curated binary. 28 Linux LPE exploits, 2016 → 2026. Detection
-> rules in the box. One command picks the safest one and runs it.**
+> **One curated binary. 28 verified Linux LPE exploits, 2016 → 2026
+> (+2 ported-but-unverified). Detection rules in the box. One command
+> picks the safest one and runs it.**

 ```bash
 curl -sSL https://github.com/KaraZajac/SKELETONKEY/releases/latest/download/install.sh | sh \
@@ -42,12 +43,15 @@ for every CVE in the bundle — same project for red and blue teams.

 ## Corpus at a glance

-**28 modules** spanning the 2016 → 2026 LPE timeline:
+**28 verified modules** spanning the 2016 → 2026 LPE timeline, plus
+**2 ported-but-unverified** modules (`dirtydecrypt`, `fragnesia` —
+see note below):

 | Tier | Count | What it means |
 |---|---|---|
 | 🟢 Full chain | **14** | Lands root (or its canonical capability) end-to-end. No per-kernel offsets needed. |
 | 🟡 Primitive | **14** | Fires the kernel primitive + grooms the slab + records a witness. Default returns `EXPLOIT_FAIL` honestly. Pass `--full-chain` to engage the shared `modprobe_path` finisher (needs offsets — see [`docs/OFFSETS.md`](docs/OFFSETS.md)). |
+| ⚪ Ported, unverified | **2** | `dirtydecrypt` + `fragnesia`, ported from public V12 PoCs. Built and registered, but **not yet validated on a vulnerable kernel** — `detect()` is precondition-only and `--auto` will not fire them blind. Excluded from the 28-module verified counts above. |

 **🟢 Modules that land root on a vulnerable host:**
 copy_fail family ×5 · dirty_pipe · dirty_cow · pwnkit · overlayfs
@@ -60,6 +64,12 @@ af_packet · af_packet2 · af_unix_gc · cls_route4 · fuse_legacy ·
 nf_tables · nft_set_uaf · nft_fwd_dup · nft_payload ·
 netfilter_xtcompat · stackrot · sudo_samedit · sequoia · vmwgfx

+**⚪ Ported-but-unverified (not in the counts above):**
+dirtydecrypt (CVE-2026-31635) · fragnesia (CVE-2026-46300) — ported
+from public V12 PoCs, **not yet VM-validated**. Self-contained
+page-cache writes (no `--full-chain` finisher); `detect()` is
+precondition-only because the CVE fix commits are not yet pinned.
+
 See [`CVES.md`](CVES.md) for per-module CVE, kernel range, and
 detection status.

@@ -97,7 +107,7 @@ uid=1000(kara) gid=1000(kara) groups=1000(kara)

 $ skeletonkey --auto --i-know
 [*] auto: host=demo kernel=5.15.0-56-generic arch=x86_64
-[*] auto: scanning 28 modules for vulnerabilities...
+[*] auto: scanning 30 modules for vulnerabilities...
 [+] auto: dirty_pipe             VULNERABLE (safety rank 90)
 [+] auto: cgroup_release_agent   VULNERABLE (safety rank 98)
 [+] auto: pwnkit                 VULNERABLE (safety rank 100)
@@ -162,11 +172,14 @@ also compile (modules with Linux-only headers stub out gracefully).

 ## Status

-**v0.5.0 cut 2026-05-17.** 28 modules. All build clean on Debian 13
-(kernel 6.12) and refuse cleanly on patched hosts. Empirical
-end-to-end validation on a vulnerable-kernel VM matrix is the next
-roadmap item; until then, the corpus is best understood as
-"compiles + detects + structurally correct + honest on failure."
+**v0.5.0 cut 2026-05-17.** 28 verified modules, plus 2
+ported-but-unverified (`dirtydecrypt`, `fragnesia`) added since the
+cut. All 30 build clean on Debian 13 (kernel 6.12) and refuse cleanly
+on patched hosts. Empirical end-to-end validation on a
+vulnerable-kernel VM matrix is the next roadmap item; until then, the
+corpus is best understood as "compiles + detects + structurally
+correct + honest on failure" — and the two ported modules have not
+been run against a vulnerable kernel at all.

 See [`ROADMAP.md`](ROADMAP.md) for the next planned modules and
 infrastructure work.
@@ -164,7 +164,19 @@ Backfill of historical and recent LPEs as time allows.
      (hand-rolled nfnetlink, NFT_GOTO+DROP malformed verdict,
      msg_msg kmalloc-cg-96 groom, no pipapo R/W chain).

-**Landed (ported from public PoC, pending VM verification):**
+**Landed since v0.1.0 (in the 28-module verified corpus):**
+
+- [x] **CVE-2021-3156** — sudo Baron Samedit: 🟡 PRIMITIVE
+      (`sudoedit -s` heap overflow; heap-tuned, may crash sudo).
+- [x] **CVE-2021-33909** — Sequoia: 🟡 PRIMITIVE (`seq_file` size_t
+      overflow → kernel stack OOB; trigger + witness, no cred chain).
+- [x] **CVE-2023-22809** — sudoedit EDITOR/VISUAL argv escape: 🟢 FULL
+      structural argv-injection (no kernel state, no offsets).
+- [x] **CVE-2023-2008** — vmwgfx DRM bo size-validation OOB: 🟡
+      PRIMITIVE (kmalloc-512 OOB + slab witness, no cred chain).
+
+**Landed (ported from public PoC, pending VM verification — NOT part
+of the 28-module verified corpus):**

 - [x] **CVE-2026-46300** — Fragnesia: 🟡 XFRM ESP-in-TCP page-cache
      write. Ported from the V12 PoC; the old `_stubs/fragnesia_TBD`
@@ -181,7 +193,6 @@ Backfill of historical and recent LPEs as time allows.

 **Carry-overs:**

- [ ] **CVE-2023-2008** — vmwgfx OOB write
 - [ ] **CVE-2026-41651** — Pack2TheRoot (PackageKit daemon userspace
      LPE; cross-distro). Candidate — userspace LPE in the pwnkit vein.
 - [ ] Anything we ourselves disclose — bundled AFTER upstream patch
@@ -189,7 +200,7 @@ Backfill of historical and recent LPEs as time allows.

 ## Phase 8 — Full-chain promotions (post v0.1.0)

-The 7 🟡 PRIMITIVE modules each stop one or two steps short of full
+The 14 🟡 PRIMITIVE modules each stop one or two steps short of full
 cred-overwrite. Promotion to 🟢 means landing the leak → R/W →
 modprobe_path-or-cred-rewrite stage on at least one tracked kernel.
 None requires fresh research — each has a public reference exploit;
@@ -200,9 +211,15 @@ auto-resolve via System.map / kallsyms when accessible).

 Priority order: nf_tables (Notselwyn pipapo R/W), netfilter_xtcompat
 (Andy Nguyen modprobe_path), af_packet (xairy sk_buff cred chase).
-The other four are lower priority — fuse_legacy and cls_route4 have
+The remainder are lower priority — fuse_legacy and cls_route4 have
 narrower distro reach; af_packet2 piggybacks on af_packet; stackrot's
-race window makes it inherently low-yield.
+race window makes it inherently low-yield; the nft_* family and
+vmwgfx need their per-kernel offset tables built out.
+
+The 2 ported-but-unverified modules (`dirtydecrypt`, `fragnesia`) are
+**not** part of this Phase 8 promotion set — they need VM verification
+and pinned fix commits first (tracked under Phase 7+ above) before any
+full-chain work is meaningful.

 ## Non-goals

@@ -83,7 +83,7 @@
    <div class="stats">
      <div class="stat">
        <span class="stat-num">28</span>
-        <span class="stat-label">total modules</span>
+        <span class="stat-label">verified modules</span>
      </div>
      <div class="stat">
        <span class="stat-num green">14</span>
@@ -173,7 +173,7 @@ uid=1000(kara) gid=1000(kara) groups=1000(kara)

 <span class="prompt">$</span> skeletonkey --auto --i-know
 <span class="hl-muted">[*]</span> auto: host=demo kernel=5.15.0-56-generic arch=x86_64
-<span class="hl-muted">[*]</span> auto: scanning 28 modules for vulnerabilities...
+<span class="hl-muted">[*]</span> auto: scanning 30 modules for vulnerabilities...
 <span class="hl-green">[+]</span> auto: dirty_pipe             <span class="hl-yellow">VULNERABLE</span> (safety rank 90)
 <span class="hl-green">[+]</span> auto: cgroup_release_agent   <span class="hl-yellow">VULNERABLE</span> (safety rank 98)
 <span class="hl-green">[+]</span> auto: pwnkit                 <span class="hl-yellow">VULNERABLE</span> (safety rank 100)
@@ -240,8 +240,10 @@ uid=0(root) gid=0(root) groups=0(root)</pre>
  <div class="container">
    <h2>Status</h2>
    <p class="lead">
-      <strong>v0.5.0</strong> cut 2026-05-17. 28 modules build clean
-      on Debian 13 (kernel 6.12) and refuse cleanly on patched hosts.
+      <strong>v0.5.0</strong> cut 2026-05-17. 28 verified modules build
+      clean on Debian 13 (kernel 6.12) and refuse cleanly on patched
+      hosts; 2 further modules (dirtydecrypt, fragnesia) are ported
+      from public PoCs but not yet VM-verified.
      Empirical end-to-end validation on a vulnerable-kernel VM matrix
      is the next roadmap item; until then, the corpus is best
      understood as "compiles + detects + structurally correct +
@@ -17,15 +17,17 @@ primitives that abuse a missing COW boundary.

 ## Research credit

-Discovered and reported by the **Zellic** and **V12 security** team.
-Public proof-of-concept by **Luna Tong** ("cts" / "gf_256"), Zellic
-co-founder, on the V12 team.
+Discovered and reported by **Zellic** and the **V12 security** team.
+Public proof-of-concept by **Luna Tong** ("cts" / "gf_256") of the
+V12 security team.

 > Reference PoC: <https://github.com/v12-security/pocs/tree/main/dirtydecrypt>

-On disclosure (2026-05-09) the kernel maintainers indicated the issue
-duplicated a flaw already patched in mainline; CVE-2026-31635 was
-assigned subsequently.
+The upstream PoC file (`poc.c`) carries no author, project, or
+`LICENSE` header of its own — its header is a purely technical
+description of the bug. The credit above is from the public
+disclosure, not from the file. CVE-2026-31635 was assigned for the
+flaw; its fix commit is not pinned in this module (see below).

 ## SKELETONKEY role

@@ -17,6 +17,9 @@ detection:
    name|startswith:
      - '/usr/bin/su'
      - '/bin/su'
+      - '/usr/bin/mount'
+      - '/usr/bin/passwd'
+      - '/usr/bin/chsh'
      - '/etc/passwd'
      - '/etc/shadow'
  not_root:
@@ -856,8 +856,12 @@ static skeletonkey_result_t dd_cleanup(const struct skeletonkey_ctx *ctx)
 static const char dd_auditd[] =
 	"# DirtyDecrypt (CVE-2026-31635) — auditd detection rules\n"
 	"# rxgk in-place decrypt corrupts the page cache of a read-only file.\n"
+	"# Watches every payload carrier in dd_targets[] plus credential files.\n"
 	"-w /usr/bin/su     -p wa -k skeletonkey-dirtydecrypt\n"
 	"-w /bin/su         -p wa -k skeletonkey-dirtydecrypt\n"
+	"-w /usr/bin/mount  -p wa -k skeletonkey-dirtydecrypt\n"
+	"-w /usr/bin/passwd -p wa -k skeletonkey-dirtydecrypt\n"
+	"-w /usr/bin/chsh   -p wa -k skeletonkey-dirtydecrypt\n"
 	"-w /etc/passwd     -p wa -k skeletonkey-dirtydecrypt\n"
 	"-w /etc/shadow     -p wa -k skeletonkey-dirtydecrypt\n"
 	"# AF_RXRPC socket creation by non-root (family 33) — core of the trigger\n"
@@ -865,7 +869,8 @@ static const char dd_auditd[] =
 	"# rxrpc security keys added to the keyring\n"
 	"-a always,exit -F arch=b64 -S add_key -k skeletonkey-dirtydecrypt-key\n"
 	"# splice() drives the page-cache pages into the forged DATA packet\n"
-	"-a always,exit -F arch=b64 -S splice -k skeletonkey-dirtydecrypt-splice\n";
+	"-a always,exit -F arch=b64 -S splice -k skeletonkey-dirtydecrypt-splice\n"
+	"-a always,exit -F arch=b32 -S splice -k skeletonkey-dirtydecrypt-splice\n";

 static const char dd_sigma[] =
 	"title: Possible DirtyDecrypt exploitation (CVE-2026-31635)\n"
@@ -879,7 +884,8 @@ static const char dd_sigma[] =
 	"detection:\n"
 	"  modification:\n"
 	"    type: 'PATH'\n"
-	"    name|startswith: ['/usr/bin/su', '/bin/su', '/etc/passwd', '/etc/shadow']\n"
+	"    name|startswith: ['/usr/bin/su', '/bin/su', '/usr/bin/mount',\n"
+	"      '/usr/bin/passwd', '/usr/bin/chsh', '/etc/passwd', '/etc/shadow']\n"
 	"  not_root:\n"
 	"    auid|expression: '!= 0'\n"
 	"  condition: modification and not_root\n"