{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/logs-auditd_manager.auditd-/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["auditbeat-*","logs-auditd_manager.auditd-*"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","linux","suid"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies suspicious privilege escalation attempts on Linux systems by monitoring the execution of SUID binaries after a high-risk parent process is launched by a non-root user. Attackers may exploit misconfigured SUID/SGID binaries or abuse sudo/pkexec policies to gain elevated privileges. The detection focuses on sequences where a user initially executes a script interpreter, shell one-liner, or a binary from a user-writable directory and quickly transitions to executing privilege elevation tools like \u003ccode\u003esu\u003c/code\u003e, \u003ccode\u003esudo\u003c/code\u003e, \u003ccode\u003epkexec\u003c/code\u003e, \u003ccode\u003epasswd\u003c/code\u003e, \u003ccode\u003echsh\u003c/code\u003e, or \u003ccode\u003enewgrp\u003c/code\u003e. This behavior can indicate malicious activity, especially when combined with other suspicious indicators such as execution from temporary directories or the use of shell commands to bypass security restrictions. Defenders should investigate instances of this sequence to determine if the privilege escalation was authorized and to identify potential misconfigurations or policy violations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA non-root user executes a script interpreter (e.g., python, perl, bash) or a binary from a user-writable location such as \u003ccode\u003e/tmp\u003c/code\u003e, \u003ccode\u003e/var/tmp\u003c/code\u003e, or their home directory.\u003c/li\u003e\n\u003cli\u003eThe script or binary may contain malicious code designed to exploit vulnerabilities or misconfigurations in the system.\u003c/li\u003e\n\u003cli\u003eThe user then attempts to execute a privilege elevation tool such as \u003ccode\u003esudo\u003c/code\u003e, \u003ccode\u003esu\u003c/code\u003e, or \u003ccode\u003epkexec\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe privilege elevation tool is invoked without specific arguments that would normally indicate legitimate administrative use, such as explicitly specifying a command to execute with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe privilege elevation attempt succeeds, and the user gains an effective UID of 0, indicating root privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to perform malicious actions, such as installing malware, modifying system configurations, or accessing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to establish persistence by creating a new user account, modifying startup scripts, or installing a rootkit.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is to gain complete control of the system and potentially use it as a launching point for further attacks on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful privilege escalation can grant an attacker complete control over the compromised system. This can lead to data breaches, system outages, and the installation of persistent backdoors. The potential damage depends on the value of the data stored on the system and the attacker\u0026rsquo;s objectives. In enterprise environments, a single compromised system can serve as a pivot point for lateral movement, potentially leading to widespread damage across the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Auditd Manager to collect process execution data (Data Source: Auditd Manager).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious SUID Binary Execution (Auditd Sequence)\u0026rdquo; to your SIEM and tune for your environment (rule.name).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent process chain and the user\u0026rsquo;s recent activity (rule.note).\u003c/li\u003e\n\u003cli\u003eReview and harden sudoers policies and polkit configurations to prevent unauthorized privilege escalation (rule.note).\u003c/li\u003e\n\u003cli\u003eMonitor for changes to SUID/SGID file permissions to detect potential misconfigurations (references).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T18:23:00Z","date_published":"2024-01-02T18:23:00Z","id":"/briefs/2024-01-02-suspicious-suid-binary-execution/","summary":"This rule detects suspicious sequences where a non-root user launches a high-risk parent process and then executes a common privilege elevation helper gaining an effective UID of 0 while the real UID remains non-root, potentially indicating misuse of SUID/SGID helpers or privilege escalation attempts.","title":"Suspicious SUID Binary Execution Sequence on Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-02-suspicious-suid-binary-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Logs-Auditd_manager.auditd-*","version":"https://jsonfeed.org/version/1.1"}