Skip to content
Threat Feed
high advisory

Potential Linux Privilege Escalation via Parent Process Sequence

This brief describes a high-severity threat on Linux systems where attackers achieve local privilege escalation by executing a non-root process from a user- or world-writable directory that subsequently gains root privileges (UID 0), indicating a successful exploit to achieve full host compromise.

This threat focuses on a common technique used by attackers to gain root privileges on compromised Linux systems, often after achieving initial access with a low-privileged user. The core behavior involves an unprivileged process launching an executable from a suspicious, user- or world-writable location (e.g., /tmp, /var/tmp, user home directories). Shortly after execution, this process or a direct child process of its lineage performs a User ID (UID) change to 0 (root), without using legitimate elevation mechanisms like sudo. This sequence is a strong indicator of a successful local privilege escalation exploit, where an attacker has likely dropped or compiled a custom exploit binary and executed it to leverage a kernel vulnerability or misconfiguration. The immediate impact is full control over the compromised host, enabling further malicious activities like data exfiltration, lateral movement, or installing persistent backdoors.

Attack Chain

  1. Initial Compromise: Attacker gains initial access to a Linux system, typically as a low-privileged user (e.g., via a web application vulnerability, compromised credentials, or phishing).
  2. Exploit Delivery: The attacker uploads or compiles a local privilege escalation (LPE) exploit binary or script onto the compromised system.
  3. Exploit Staging: The exploit is placed in a user- or world-writable directory such as /tmp, /var/tmp, /dev/shm, or a user's home directory (/home/username/).
  4. Initial Execution: The attacker executes the staged exploit binary or script as the currently logged-in non-root user.
  5. Privilege Escalation: The exploit successfully leverages a vulnerability (e.g., kernel bug, misconfigured SUID binary) to change the effective User ID (UID) of its process to 0 (root).
  6. Root Shell/Post-Exploitation: The now-privileged process (running as root) typically spawns a root shell, adds persistent access, modifies system configurations, or prepares for lateral movement.
  7. Impactful Action: With root privileges, the attacker proceeds to achieve their objective, such as exfiltrating sensitive data, deploying ransomware, or establishing a command and control (C2) channel.

Impact

A successful local privilege escalation (LPE) grants attackers complete control over the compromised Linux host. This immediately opens the door to a wide range of destructive and covert activities. Attackers can read, modify, or delete any file on the system, including sensitive configuration files, user data, and system logs. They can install new software, create persistent backdoors (e.g., modifying sudoers, adding SSH keys, creating new systemd services), disable security software, and manipulate authentication mechanisms. The primary risk is often data exfiltration, followed by lateral movement to other systems within the network using the newly gained privileged access or stolen credentials. Uncontrolled LPE can lead to complete network compromise and significant financial and reputational damage.

Recommendation

  • Deploy the Sigma rule in this brief to your SIEM and tune for your environment.
  • Ensure process_creation logging is enabled on all Linux endpoints to capture User, ParentUser, Image, and ParentImage fields as needed by the Sigma rule.
  • Restrict write permissions on critical system directories and mount temporary file systems like /tmp and /var/tmp with noexec,nosuid,nodev where feasible, to prevent execution of arbitrary binaries.
  • Regularly audit and remove unnecessary SUID/SGID binaries and Linux capabilities using tools like find / -perm /6000 and getcap -r /.
  • Implement strong integrity monitoring for critical system files and executables to detect unauthorized modifications.

Detection coverage 1

Potential Linux Privilege Escalation from Writable Path

high

Detects a Linux process launched as root by a non-root parent, where the executable or its parent's executable originated from a user- or world-writable directory, excluding standard sudo usage. This indicates a potential local privilege escalation.

sigma tactics: privilege_escalation techniques: T1548, T1548.001 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →