Suspicious SUID Binary Execution Sequence on Linux

This detection identifies suspicious privilege escalation attempts on Linux systems by monitoring the execution of SUID binaries after a high-risk parent process is launched by a non-root user. Attackers may exploit misconfigured SUID/SGID binaries or abuse sudo/pkexec policies to gain elevated privileges. The detection focuses on sequences where a user initially executes a script interpreter, shell one-liner, or a binary from a user-writable directory and quickly transitions to executing privilege elevation tools like su, sudo, pkexec, passwd, chsh, or newgrp. This behavior can indicate malicious activity, especially when combined with other suspicious indicators such as execution from temporary directories or the use of shell commands to bypass security restrictions. Defenders should investigate instances of this sequence to determine if the privilege escalation was authorized and to identify potential misconfigurations or policy violations.

Attack Chain

1. A non-root user executes a script interpreter (e.g., python, perl, bash) or a binary from a user-writable location such as /tmp, /var/tmp, or their home directory.
2. The script or binary may contain malicious code designed to exploit vulnerabilities or misconfigurations in the system.
3. The user then attempts to execute a privilege elevation tool such as sudo, su, or pkexec.
4. The privilege elevation tool is invoked without specific arguments that would normally indicate legitimate administrative use, such as explicitly specifying a command to execute with elevated privileges.
5. The privilege elevation attempt succeeds, and the user gains an effective UID of 0, indicating root privileges.
6. The attacker leverages the elevated privileges to perform malicious actions, such as installing malware, modifying system configurations, or accessing sensitive data.
7. The attacker may attempt to establish persistence by creating a new user account, modifying startup scripts, or installing a rootkit.
8. The ultimate objective is to gain complete control of the system and potentially use it as a launching point for further attacks on the network.

Impact

A successful privilege escalation can grant an attacker complete control over the compromised system. This can lead to data breaches, system outages, and the installation of persistent backdoors. The potential damage depends on the value of the data stored on the system and the attacker’s objectives. In enterprise environments, a single compromised system can serve as a pivot point for lateral movement, potentially leading to widespread damage across the network.

Recommendation

• Enable Auditd Manager to collect process execution data (Data Source: Auditd Manager).
• Deploy the Sigma rule “Suspicious SUID Binary Execution (Auditd Sequence)” to your SIEM and tune for your environment (rule.name).
• Investigate any alerts generated by the Sigma rule, focusing on the parent process chain and the user’s recent activity (rule.note).
• Review and harden sudoers policies and polkit configurations to prevent unauthorized privilege escalation (rule.note).
• Monitor for changes to SUID/SGID file permissions to detect potential misconfigurations (references).