Suid

This detection rule identifies suspicious executions of SUID binaries that may be used for privilege escalation on Linux systems, focusing on scenarios where the real user and parent user are not root, combined with minimal argument counts and suspicious parent contexts.

This rule detects potential privilege escalation under the root effective user when the real user and parent user are not root, indicative of the execution of binaries with SUID or SGID bits set, often exploited by adversaries to gain elevated access on Linux systems.

Attackers may leverage misconfigured SUID/SGID permissions on Linux systems to escalate privileges to root or establish persistence by executing processes with root privileges initiated by non-root users.

This rule detects potential privilege escalation attempts on Linux systems by identifying processes running with root privileges but initiated by non-root users, indicative of SUID/SGID abuse.

This rule detects the execution of privilege escalation helpers under the root effective user, when initiated by a non-root user with a suspicious parent process, indicating potential privilege escalation attempts.

This rule detects suspicious sequences where a non-root user launches a high-risk parent process and then executes a common privilege elevation helper gaining an effective UID of 0 while the real UID remains non-root, potentially indicating misuse of SUID/SGID helpers or privilege escalation attempts.