Linux Segfault from Sensitive Process Detected

This detection rule monitors Linux kernel logs for segmentation fault (segfault) messages originating from a predefined list of sensitive processes. A segfault occurs when a program attempts to access a memory location it is not authorized to access, often resulting in program termination. This can be indicative of malicious activities like exploiting buffer overflows or injecting shared objects to execute arbitrary code or disrupt normal operations. The rule aims to identify potential exploitation attempts targeting sensitive system processes that could lead to credential access or system compromise. The rule was created on 2026/05/28 and updated on 2026/05/28. It is part of the Elastic detection rules.

Attack Chain

1. Attacker gains initial access to the Linux system (e.g., via compromised service or vulnerability).
2. Attacker attempts to exploit a vulnerability in a sensitive process (e.g., sshd, sudo, apache2).
3. The exploitation attempt involves overflowing a buffer or injecting malicious code into the process’s memory space.
4. The vulnerable process attempts to access the invalid memory location, triggering a segfault.
5. The kernel logs record the segfault event, including the process name and other relevant details.
6. The detection rule identifies the segfault message in the logs based on the process name and the presence of the “segfault” keyword.
7. Depending on the vulnerability and attacker’s capabilities, this could lead to code execution with the process’s privileges.
8. Successful exploitation could allow the attacker to dump credentials or gain further access to the system.

Impact

A successful exploitation can lead to arbitrary code execution, privilege escalation, credential access, and system compromise. Exploitation of sensitive processes like sshd or sudo can grant attackers root privileges, allowing them to control the entire system. While this rule itself does not indicate a successful compromise, it does indicate potential exploitation attempts. The rule triggers on segfaults from a pre-defined list of common sensitive processes.

Recommendation

• Deploy the Sigma rule provided below to your SIEM to detect segfaults from sensitive processes on Linux systems.
• Investigate any alerts generated by the Sigma rule to determine the root cause of the segfault.
• Patch any identified vulnerabilities in the affected software or system components to prevent further exploitation attempts.
• Enable Syslog logging of kernel events to ensure the availability of relevant log data for detection.
• Audit and harden sensitive processes like sshd, sudo, and web servers to reduce the attack surface and potential for exploitation.