
Potential Privilege Escalation via a Parent/Child Process Sequence
Elastic Detection Rules
View SourceSummary
Detects a potential local privilege escalation on Linux by monitoring a two-step parent/child process sequence. It triggers when a non-root user starts a process from a user- or world-writable directory (e.g., /tmp, /dev/shm, /var/tmp, /run/user, /home) and the child process subsequently performs a UID change to 0 within a short window (maxspan 15s). The rule excludes direct sudo usage and correlates start and UID-change events across the parent-child relationship to identify suspicious escalation. It aligns with MITRE ATT&CK technique T1548.001 (Setuid/Setgid) under Privilege Escalation and is tailored for endpoint Linux telemetry. Investigative context emphasizes verifying writable-location artifacts, reconstructing process ancestry, and checking for follow-on root actions, such as persistence, credential access, or network activity, to determine legitimacy and containment needs. The rule is designed for endpoint detection on Linux hosts and supports triage and remediation workflows described in the accompanying guidance.
Categories
- Endpoint
- Linux
Data Sources
- Process
ATT&CK Techniques
- T1548
- T1548.001
Created: 2026-07-02