
Summary
Technical summary: This Elastic EQL rule detects a potential Linux privilege escalation sequence by correlating two linked process events within a 15-second window. The first event is a non-root process started with exec action that is initiated from within a user- or world-writable location (such as /tmp, /dev/shm, /var/tmp, /run/user, /home, etc.), and whose parent process also runs under non-root IDs. The rule triggers when a subsequent event shows a UID change to root (user.id == 0) in the same process lineage, with the parent still non-root and the executed binary not being the standard sudo binaries. The intention is to identify scenarios where an attacker drops or executes a malicious binary from a writable path and then elevates privileges by switching to UID 0, enabling a root shell or privileged actions. The detection uses two sequential process events (start/exec and uid_change) linked by host.id and process.parent.entity_id, with maxspan=15s, focusing on Linux endpoints. MITRE ATT&CK mapping covers Abuse Elevation Control Mechanisms (T1548) and Setuid/Setgid (T1548.001). The rule supports security investigations by highlighting potential local privilege escalation, guiding containment, forensics, and remediation steps, including checking file ownership, permissions, hashes, and following root-impersonation activity, as well as validating whether any privileged actions were performed post-escalation. False positives may arise from legitimate maintenance or user-initiated scripts executed from writable paths; these should be reviewed against known maintenance windows and expected behaviors. Remediation guidance includes isolating the host, removing suspicious binaries, removing attacker persistence, rotating credentials, and hardening writable directories and privilege escalation vectors to prevent recurrence.
Categories
- Endpoint
- Linux
Data Sources
- Process
ATT&CK Techniques
- T1548
- T1548.001
Created: 2026-07-02