Suspicious SUID Binary Execution for Privilege Escalation on Linux

This rule detects the execution of Set User ID (SUID) binaries, a common privilege escalation technique on Linux systems. The focus is on identifying instances where a non-root user is executing SUID binaries as root, especially when the parent process also lacks root privileges. This scenario becomes particularly suspicious when combined with a low argument count for the SUID binary and a parent process indicative of scripted or automated execution. This alert helps identify attempts to bypass normal privilege controls using SUID binaries from unusual contexts, potentially indicating malicious activity. The rule aims to reduce false positives by filtering on minimal argument counts and identifying specific interpreters, writable paths, and short shell invocations as parent processes.

Attack Chain

1. A user gains initial access to a Linux system with limited privileges.
2. The user identifies SUID binaries present on the system using commands like find / -perm -4000 -ls.
3. The user attempts to execute a SUID binary such as su, sudo, or pkexec.
4. The SUID binary is executed with a minimal number of arguments (e.g., su with no username).
5. The execution is initiated from a scripting environment such as Python, Perl, or Ruby.
6. Alternatively, the SUID binary is invoked from a user-writable directory like /tmp or /home.
7. If successful, the process runs with root privileges, allowing the attacker to perform privileged actions.
8. The attacker exploits the elevated privileges to install malware, modify system configurations, or escalate privileges further.

Impact

Successful exploitation of SUID binaries for privilege escalation can lead to complete system compromise. An attacker can gain root privileges, allowing them to install persistent backdoors, exfiltrate sensitive data, or disrupt critical services. In environments where least privilege is strictly enforced, this type of escalation can bypass security controls and grant unauthorized access to sensitive resources.

Recommendation

• Deploy the Sigma rule Detect Suspicious SUID Binary Execution from Interpreters to identify SUID binary executions originating from scripting environments.
• Deploy the Sigma rule Detect Suspicious SUID Binary Execution from User-Writable Paths to detect SUID binary executions from unusual locations.
• Investigate any alerts generated by these rules, focusing on the parent process and the arguments passed to the SUID binary as described in the triage section of this brief.
• Review and harden sudoers policy and polkit policy for tampering as outlined in the original report.
• Monitor process creation events for executions matching the criteria outlined in the query field within the original report.