Product

Auditbeat-*

2 briefs RSS

Kubernetes and Cloud Credential Path Access via Process Arguments

This rule detects Linux process executions that access sensitive Kubernetes, cloud, and SSH credential files via common utilities, potentially indicating credential theft.

Elastic Defend +4 credential-access kubernetes cloud linux

2r 2t Jan 3, 2024

medium advisory

Suspicious SUID Binary Execution Sequence on Linux

2 rules 2 TTPs

This rule detects suspicious sequences where a non-root user launches a high-risk parent process and then executes a common privilege elevation helper gaining an effective UID of 0 while the real UID remains non-root, potentially indicating misuse of SUID/SGID helpers or privilege escalation attempts.

auditbeat-* +1 privilege-escalation linux suid

2r 2t Jan 2, 2024