heroui logo

Linux apt-get Privilege Escalation

Splunk Security Content

View Source
Summary
This detection rule identifies potential privilege escalation attempts on Linux systems. Specifically, it detects the execution of the 'apt-get' command using 'sudo', which raises security concerns as it may allow a user to escalate their privileges to root. The rule analyzes process execution logs sourced from Endpoint Detection and Response (EDR) agents, capturing details about command-line executions. If detected, this activity could indicate an unauthorized attempt to gain full system control, which might allow attackers to execute arbitrary commands, manage software installations, and possibly compromise the entire system. The detection relies heavily on proper configuration and ingestion of relevant process logs to ensure accuracy.
Categories
  • Linux
  • Endpoint
Data Sources
  • Pod
  • Process
ATT&CK Techniques
  • T1548.003
  • T1548
Created: 2024-11-13