Suspicious SUID Binary Execution on Linux

This detection rule identifies suspicious executions of common privilege elevation tools on Linux systems. It focuses on instances where binaries like su, sudo, pkexec, passwd, chsh, and newgrp are executed with root privileges but are initiated by a non-root user. The rule further refines its focus by analyzing the parent process context, specifically looking for interpreters (Python, Perl, Ruby, etc.), commands executed from user-writable directories (/tmp, /var/tmp, /dev/shm, /home, /run/user), or short shell command invocations. The detection is designed to uncover potential privilege escalation attempts that may be indicative of malicious activity. This is important because attackers frequently use SUID binaries to elevate privileges, and detecting unusual usage patterns can help identify compromised systems or insider threats.

Attack Chain

1. A non-privileged user gains initial access to the system, potentially through compromised credentials or exploiting a vulnerability.
2. The attacker navigates to a user-writable directory such as /tmp or /home/<user>.
3. The attacker crafts a malicious script or uses a one-liner command to invoke a SUID binary.
4. The SUID binary (e.g., sudo, pkexec, su) is executed with minimal arguments.
5. The system executes the command with root privileges due to the SUID bit being set on the binary.
6. The attacker leverages the elevated privileges to modify system files, install malicious software, or create new administrative accounts.
7. The attacker establishes persistence to maintain access to the compromised system.
8. The attacker achieves their final objective, which could include data exfiltration, system disruption, or further lateral movement within the network.

Impact

Successful exploitation of SUID binaries can lead to full system compromise. An attacker can gain complete control over the affected Linux system, potentially leading to data breaches, service disruptions, and the installation of persistent malware. This can affect critical infrastructure and sensitive data, causing significant financial and reputational damage. The severity is amplified when multiple systems are compromised, allowing for lateral movement and further exploitation within the network.

Recommendation

• Enable process creation logging and ensure that process.user.id, process.real_user.id, and process.parent.user.id are being captured to activate the rules below.
• Deploy the “Suspicious SUID Binary Execution” Sigma rule to your SIEM and tune for your environment.
• Review authentication and sudoers policies to identify and remediate any misconfigurations.
• Investigate any alerts generated by the Sigma rules to determine the legitimacy of the SUID binary execution and the parent process context.
• Implement file integrity monitoring on sensitive system binaries and directories, particularly those related to privilege escalation, to detect unauthorized modifications.
• Restrict the use of SUID binaries where possible and enforce strict permissions on those that are necessary.