
Summary
The 'Linux Cpulimit Privilege Escalation' analytic rule is designed to detect improper usage of the 'cpulimit' command when executed with 'sudo' privileges in a Linux environment. The command, which is used to limit CPU usage of processes, gains malicious potential when granted elevated privileges as it can be exploited by attackers to execute arbitrary commands with root access. The detection utilizes Endpoint Detection and Response (EDR) agents to monitor and analyze command-line arguments within process execution details. This rule specifically focuses on instances where 'cpulimit' is invoked with the '-l' and '-f' flags using 'sudo', which are indicators of potential privilege escalation attempts. Given the serious implications of such activities, timely detection is crucial to mitigate the risk of full system compromise.
Categories
- Linux
- Endpoint
Data Sources
- Process
- Application Log
ATT&CK Techniques
- T1548.003
- T1548
Created: 2024-11-13