Auditd — CraftedSignal Threat Feed

Potential Root Effective Shell from Non-Standard Path via Auditd

hello@craftedsignal.io — Fri, 01 May 2026 09:51:29 +0000

This detection identifies potential privilege escalation attempts on Linux systems by monitoring for processes with a root effective user ID (EUID) but a non-root real user ID (RUID), combined with the use of the -p flag (commonly used to preserve privileges in shells like bash or dash) and execution from a non-standard path (outside of /bin, /sbin, /usr/bin, etc.). Attackers may copy or link setuid-capable shells or similar helpers into writable locations to regain a root context after local exploitation. This behavior is often associated with post-exploitation activities where attackers attempt to maintain or regain elevated privileges. The rule relies on Auditd data to provide visibility into process execution events and user context. The original rule was published on 2026-04-24 by Elastic.

Attack Chain

Attacker gains initial access to the system with limited privileges (e.g., through exploiting a vulnerability or using stolen credentials).
Attacker identifies a writable directory outside of standard system binary paths (e.g., /tmp, /var/tmp).
Attacker copies or creates a symbolic link to a setuid-capable shell (e.g., /bin/bash, /bin/dash) into the identified writable directory. This copied shell retains the setuid bit.
Attacker executes the copied or linked shell from the non-standard path with the -p flag (e.g., /tmp/bash -p). The -p flag instructs the shell to preserve privileges, effectively running with the effective user ID (EUID) of root.
Auditd logs this process execution event, capturing the non-standard path, the use of the -p flag, the root EUID, and the non-root RUID.
The detection rule identifies the process execution event based on the criteria outlined above.
Attacker now has a root shell and can perform administrative tasks, install malware, or further compromise the system.

Impact

A successful privilege escalation attack can grant an attacker complete control over the compromised system. This allows them to access sensitive data, install malicious software, modify system configurations, and potentially pivot to other systems on the network. This can lead to data breaches, system downtime, and significant financial losses. The risk score for this type of activity is considered high due to the potential for significant impact.

Recommendation

Deploy the Sigma rule Potential Root Effective Shell from Non-Standard Path via Auditd to your SIEM and tune for your environment.
Ensure that Auditd Manager or Auditbeat is properly configured to collect process execution events with relevant fields (event.action, user.id, user.effective.id, process.args, and process.executable) as described in the rule setup to enable the rule to function correctly.
Investigate any alerts generated by this rule by inspecting process.executable, process.args, process.parent, and the full command line reconstructed in audit logs.
Regularly audit all setuid binaries on the filesystem to identify any unauthorized or malicious setuid executables.
Implement access controls and file integrity monitoring to prevent unauthorized modification of system binaries and writable directories.

Curl or Wget Execution from Container Context

hello@craftedsignal.io — Tue, 23 Jan 2024 12:00:00 +0000

This detection rule identifies instances of curl or wget being executed from within containers managed by runc on Linux systems. The rule leverages Auditd Manager to monitor system calls and flags processes running with the title runc init that then execute curl or wget. This activity is noteworthy because attackers often use these tools to download malicious payloads (stagers, scripts, implants) or to exfiltrate data after compromising a container. While these tools can be used legitimately within containers, their execution in the context of runc init suggests a higher risk of malicious activity. The rule focuses on narrowing the signal to the container runtime boundary where unexpected download clients are more worthy of review. The rule specifically leverages Auditd Manager for data collection.

Attack Chain

An attacker gains initial access to a host system, possibly through exploiting a vulnerability in an application running outside the container (e.g., web application).
The attacker identifies a containerized application running on the compromised host.
The attacker exploits a vulnerability within the container, or abuses a privileged workload within the container, to gain elevated privileges or code execution within the container.
The attacker uses curl or wget to download additional tools or scripts into the container. These tools might include reverse shells, credential dumping tools, or data exfiltration utilities.
The attacker executes the downloaded tools to further compromise the container or the underlying host.
The attacker uses curl or wget to stage data for exfiltration to an external server. This may involve compressing and encoding data before transmission.
The attacker initiates the data exfiltration process using curl or wget to send the staged data to a remote server controlled by the attacker.
The attacker achieves their final objective, which could include data theft, system disruption, or further lateral movement within the network.

Impact

Compromised containers can lead to data breaches, service disruptions, and further attacks on internal systems. Successful exploitation could allow attackers to steal sensitive data, install malware, or pivot to other parts of the network, impacting confidentiality, integrity, and availability. The number of affected systems depends on the scope of the container deployment and the privileges granted to the compromised container.

Recommendation

Deploy the Sigma rule Detect Curl or Wget Execution from Container Context to your SIEM and tune for your environment.
Enable Auditd Manager with syscall coverage including execve to capture process execution and arguments within containers, as mentioned in the rule’s setup instructions.
Correlate alerts from this rule with network logs to identify the destination IP addresses and domains contacted by the compromised container.
Baseline trusted images and exclude stable image digests or namespaces when noisy to reduce false positives, as suggested in the rule’s false positives section.

Suspicious Process Accessing Sensitive Identity Files via Auditd

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection focuses on identifying unauthorized access to sensitive identity files on Linux systems. It leverages Auditd to monitor file access events and flags processes that are commonly used for copying, scripting, or staging files from temporary directories. The targeted files include Kubernetes service account tokens, kubelet configurations, cloud CLI configurations for AWS, Azure, and Google Cloud, root SSH keys, and Docker configurations. These files are critical for authentication and authorization within the system, and unauthorized access could lead to credential theft, privilege escalation, or lateral movement. This is especially important in cloud environments and containerized deployments where these files are commonly used for managing access to resources. The rule is designed to exclude user home paths to avoid false positives and focus on system-level access.

Attack Chain

An attacker gains initial access to a Linux system through various means, such as exploiting a vulnerability or compromising credentials.
The attacker uses a utility like cp, cat, or curl to access sensitive files such as /var/run/secrets/kubernetes.io/serviceaccount/token or /root/.ssh/id_rsa.
Auditd logs the file access event, capturing details about the process, user, and file path.
The detection rule identifies the suspicious process based on its name, executable path (e.g., /tmp/*), or command-line arguments.
The rule checks if the accessed file is in the list of sensitive identity files.
If both conditions are met, the rule triggers an alert, indicating potential unauthorized access to sensitive credentials.
The attacker exfiltrates the stolen credentials or uses them to move laterally within the network.
The attacker uses the stolen credentials to access cloud resources or other sensitive systems.

Impact

Successful exploitation can lead to the compromise of sensitive credentials, allowing attackers to gain unauthorized access to critical systems and data. This can result in data breaches, service disruptions, and financial losses. The targeted files contain credentials for Kubernetes clusters, cloud environments (AWS, Azure, Google Cloud), and SSH keys, potentially impacting a wide range of resources. The impact is particularly severe in environments where these credentials are used for managing critical infrastructure or accessing sensitive data.

Recommendation

Deploy the Auditd Manager integration with the specified audit rules in the provided setup steps to monitor access to sensitive identity files on Linux systems. Ensure auditd is properly configured and running (auditctl -l) to generate the necessary logs.
Deploy the Sigma rules provided to detect suspicious processes accessing sensitive identity files and tune them for your environment by excluding legitimate processes or users as needed.
Investigate alerts generated by the Sigma rules, focusing on the process name, executable, parent command line, and the accessed file path to determine the legitimacy of the access.
Review and harden file permissions on shared credential stores to prevent unauthorized access. Rotate exposed keys and tokens and invalidate cloud sessions if a compromise is suspected, as suggested in the rule’s documentation.