
Summary
Detects a potential Linux local privilege escalation by a two-stage process: (1) a non-root process is launched from a user- or world-writable directory (e.g., /tmp, /dev/shm, /var/tmp, /home/*, /run/user/*) or from a writable parent path, and (2) a subsequent UID change to root (0) occurs, with the parent not already running as root and excluding direct sudo invocations. This pattern indicates an attacker dropping a payload in a writable location and elevating privileges via mechanisms such as setuid/setgid wrappers or kernel weaknesses. The rule uses Elastic EQL to correlate a start/execution event from writable paths with a following UID change event within a 30-second window. It maps to MITRE ATT&CK T1548 (Abuse Elevation Control Mechanisms), specifically T1548.001 (Setuid and Setgid). The detection emphasizes two linked events to reduce false positives and helps identify local privilege escalation attempts that abuse writable locations and UID transitions on Linux endpoints.
Categories
- Endpoint
- Linux
Data Sources
- Process
ATT&CK Techniques
- T1548
- T1548.001
Created: 2026-07-02