Skip to content
Threat Feed
high advisory

Potential Linux Privilege Escalation via Suspicious UID Change

This brief details a high-severity threat where attackers exploit Linux systems to achieve local privilege escalation by executing a non-root process from a user- or world-writable directory (e.g., /tmp, /dev/shm) that subsequently changes its effective user ID to root (UID 0), indicating a successful abuse of a vulnerable setuid binary or kernel flaw to gain full system control.

This threat involves a sophisticated local privilege escalation (LPE) technique on Linux systems. Attackers, after gaining an initial foothold as a non-privileged user, deploy a malicious executable or script into commonly user- or world-writable directories such as /tmp, /dev/shm, /var/tmp, or a user's home directory (/home/). This staged binary is then executed with the non-root user's permissions. The core of the attack lies in the binary's ability to exploit a vulnerability—often a misconfigured or vulnerable setuid binary, a kernel flaw, or similar privilege escalation vector—to force a change in its own effective user ID (UID) to 0 (root) during runtime. This suspicious UID change from a non-root user to root, originating from an untrusted path, is a strong indicator of a successful LPE attempt, granting the attacker full control over the compromised Linux host.

Attack Chain

  1. Attacker gains initial access and establishes a foothold on a Linux system as a non-root user.
  2. A malicious executable or script (e.g., an LPE exploit, a wrapper) is deployed by the attacker into a user- or world-writable directory such as /tmp, /dev/shm, or /var/tmp.
  3. The attacker executes this deployed binary or script using their currently compromised non-root user privileges.
  4. The executed binary leverages an existing local vulnerability, such as a flawed setuid binary, a kernel exploit, or a misconfiguration.
  5. As a result of the exploitation, the running process successfully changes its effective user ID (UID) to 0, granting it root privileges.
  6. The attacker now operates with full system control, enabling further actions like persistence establishment, data exfiltration, or lateral movement.

Impact

Successful exploitation of this privilege escalation technique grants attackers full root privileges on the compromised Linux system. This allows them to bypass security controls, install backdoors, modify system configurations (e.g., /etc/shadow, /etc/sudoers), create new privileged accounts, access sensitive data across the entire system, and potentially establish persistent access. The impact can range from data theft and system manipulation to the use of the compromised host as a staging ground for further attacks within the network. The observed pattern of execution from temporary or user-writable directories followed by UID change indicates a high likelihood of malicious intent and could precede significant damage.

Recommendation

  • Deploy the Potential Linux Privilege Escalation via Suspicious Setuid Execution Sigma rule to your SIEM to detect this activity.
  • Ensure comprehensive endpoint logging for process_creation events on Linux systems, including User, ParentUser, and Image fields.
  • Review process ancestry and execution context for any alerts generated by the Potential Linux Privilege Escalation via Suspicious Setuid Execution rule, specifically around UID transitions.
  • Isolate any Linux hosts showing activity matching the Potential Linux Privilege Escalation via Suspicious Setuid Execution rule from the network to contain the threat.
  • Harden your Linux environment by regularly auditing and removing unnecessary setuid programs, and mounting writable directories like /tmp and /dev/shm with nosuid and noexec flags where feasible.

Detection coverage 1

Potential Linux Privilege Escalation via Suspicious Setuid Execution

high

Detects potential local privilege escalation on Linux where a process, now running as root, was spawned by a non-root parent from a user- or world-writable directory (e.g., /tmp, /dev/shm). This often indicates setuid binary abuse or a kernel exploit leading to an unauthorized UID change.

sigma tactics: privilege_escalation techniques: T1548, T1548.001 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →