heroui logo

Potential Privilege Escalation via UID INT_MAX Bug Detected

Elastic Detection Rules

View Source
Summary
This detection rule monitors the execution of the `systemd-run` command by Linux users with User ID (UID) values larger than `INT_MAX` (2,147,483,647). This condition arises from a vulnerability present in older Linux distributions where such elevated UIDs permitted users to leverage `systemd-run` for privilege escalation, effectively allowing unauthorized access to system resources. The rule employs an EQL query that detects the creation of processes meeting specific criteria: the OS type must be Linux, the event type must indicate a process starting, the process name must correspond to `systemd-run` with the argument `-t`, a sufficient number of arguments must be present, and the UID must exceed the aforementioned threshold. Alerts generated by this rule should prompt an immediate investigation into the legitimacy of the user and the process command, including checks for anomalies in system logs and user account histories.
Categories
  • Linux
  • Endpoint
  • Infrastructure
Data Sources
  • Process
  • User Account
  • Application Log
ATT&CK Techniques
  • T1068
Created: 2023-07-27