Potential Linux Privilege Escalation via Parent Process Sequence
This brief describes a high-severity threat on Linux systems where attackers achieve local privilege escalation by executing a non-root process from a user- or world-writable directory that subsequently gains root privileges (UID 0), indicating a successful exploit to achieve full host compromise.
This threat focuses on a common technique used by attackers to gain root privileges on compromised Linux systems, often after achieving initial access with a low-privileged user. The core behavior involves an unprivileged process launching an executable from a suspicious, user- or world-writable location (e.g., /tmp, /var/tmp, user home directories). Shortly after execution, this process or a direct child process of its lineage performs a User ID (UID) change to 0 (root), without using legitimate elevation mechanisms like sudo. This sequence is a strong indicator of a successful local privilege escalation exploit, where an attacker has likely dropped or compiled a custom exploit binary and executed it to leverage a kernel vulnerability or misconfiguration. The immediate impact is full control over the compromised host, enabling further malicious activities like data exfiltration, lateral movement, or installing persistent backdoors.
Attack Chain
- Initial Compromise: Attacker gains initial access to a Linux system, typically as a low-privileged user (e.g., via a web application vulnerability, compromised credentials, or phishing).
- Exploit Delivery: The attacker uploads or compiles a local privilege escalation (LPE) exploit binary or script onto the compromised system.
- Exploit Staging: The exploit is placed in a user- or world-writable directory such as
/tmp,/var/tmp,/dev/shm, or a user's home directory (/home/username/). - Initial Execution: The attacker executes the staged exploit binary or script as the currently logged-in non-root user.
- Privilege Escalation: The exploit successfully leverages a vulnerability (e.g., kernel bug, misconfigured SUID binary) to change the effective User ID (UID) of its process to
0(root). - Root Shell/Post-Exploitation: The now-privileged process (running as root) typically spawns a root shell, adds persistent access, modifies system configurations, or prepares for lateral movement.
- Impactful Action: With root privileges, the attacker proceeds to achieve their objective, such as exfiltrating sensitive data, deploying ransomware, or establishing a command and control (C2) channel.
Impact
A successful local privilege escalation (LPE) grants attackers complete control over the compromised Linux host. This immediately opens the door to a wide range of destructive and covert activities. Attackers can read, modify, or delete any file on the system, including sensitive configuration files, user data, and system logs. They can install new software, create persistent backdoors (e.g., modifying sudoers, adding SSH keys, creating new systemd services), disable security software, and manipulate authentication mechanisms. The primary risk is often data exfiltration, followed by lateral movement to other systems within the network using the newly gained privileged access or stolen credentials. Uncontrolled LPE can lead to complete network compromise and significant financial and reputational damage.
Recommendation
- Deploy the Sigma rule in this brief to your SIEM and tune for your environment.
- Ensure
process_creationlogging is enabled on all Linux endpoints to captureUser,ParentUser,Image, andParentImagefields as needed by the Sigma rule. - Restrict write permissions on critical system directories and mount temporary file systems like
/tmpand/var/tmpwithnoexec,nosuid,nodevwhere feasible, to prevent execution of arbitrary binaries. - Regularly audit and remove unnecessary SUID/SGID binaries and Linux capabilities using tools like
find / -perm /6000andgetcap -r /. - Implement strong integrity monitoring for critical system files and executables to detect unauthorized modifications.
Detection coverage 1
Potential Linux Privilege Escalation from Writable Path
highDetects a Linux process launched as root by a non-root parent, where the executable or its parent's executable originated from a user- or world-writable directory, excluding standard sudo usage. This indicates a potential local privilege escalation.
Detection queries are available on the platform. Get full rules →