Skip to content
Threat Feed
high advisory

Linux Persistence and Privilege Escalation Risk Behavior Detected

A Splunk correlation search identifies potential Linux persistence and privilege escalation activities based on risk scores and event counts from various Linux-related data sources, highlighting behaviors that could allow an attacker to maintain access or gain elevated privileges on a Linux system.

This analytic identifies potential Linux persistence and privilege escalation activities. It leverages risk scores and event counts from various Linux-related data sources, focusing on tactics associated with persistence and privilege escalation. The correlation relies on a threshold of four or more distinct detection names generated before triggering a finding. If confirmed malicious, this activity could enable an attacker to execute code with higher privileges, persist in the environment, and potentially access sensitive information, posing a severe security risk. This detection was last modified on May 13, 2026.

Attack Chain

  1. Initial compromise of a Linux system through an unspecified vector.
  2. The attacker attempts to establish persistence using techniques such as modifying system startup scripts or creating cron jobs.
  3. Privilege escalation is attempted through exploitation of kernel vulnerabilities or misconfigured SUID/GUID binaries.
  4. Individual detection tools identify the persistence and privilege escalation attempts, generating risk scores.
  5. Splunk’s Risk Framework aggregates these risk scores and events.
  6. If the number of distinct detection names related to persistence/privilege escalation exceeds a threshold (default: 4), the correlation triggers.
  7. The attacker maintains elevated privileges on the system.
  8. The attacker persists in the environment and potentially accesses sensitive information.

Impact

A successful attack can lead to full control of the compromised Linux system. This can enable the attacker to access sensitive data, pivot to other systems in the network, or use the compromised system as a base for further attacks. The number of affected systems will depend on the scope of the initial compromise and the effectiveness of the attacker’s persistence and privilege escalation techniques.

Recommendation

  • Ensure Linux anomaly and TTP analytics are enabled as a prerequisite for this correlation search.
  • Tune the correlation search linux_persistence_and_privilege_escalation_risk_behavior_filter to reduce false positives based on your environment’s specific activity.
  • Review and adjust the threshold for source_count in the search query, currently set to 4, based on activity in your environment.
  • Investigate systems identified by this analytic using the drilldown searches to view detection results and risk events.
  • Deploy the following Sigma rules to complement this detection and identify specific persistence/privilege escalation techniques.

Detection coverage 2

Detect Cron Job Abuse for Persistence

high

Detects suspicious cron job modifications that could be used for persistence.

sigma tactics: persistence techniques: T1053.003 sources: process_creation, linux

Detect Exploitation of SUID/GUID Binaries for Privilege Escalation

medium

Detects execution of uncommon SUID/GUID binaries that could be used for privilege escalation.

sigma tactics: privilege_escalation techniques: T1548.001 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →