
Summary
This detection rule monitors for potential privilege escalation attempts in Linux environments by looking for unusual user ID (UID) changes initiated by previously unknown executables. Attackers may exploit vulnerable programs or hijack execution flows using rootkits to gain root access without detection. The rule triggers alerts for UID changes where the new user ID is root ("0"), specifically when processes originate from unsecured or custom shell environments (e.g., bash, zsh) but are not executed from standard system paths. Notably, it excludes processes related to known safe executables, making it an effective measure against stealthy privilege escalation maneuvers. The rule is integrated with Elastic Defend and requires proper setup of the Elastic Agent to function effectively. The provided investigation guide assists analysts in reviewing alerts, identifying true threats, addressing false positives, and responding to incidents promptly.
Categories
- Endpoint
- Linux
Data Sources
- Process
- Script
- Application Log
ATT&CK Techniques
- T1574
- T1574.013
- T1014
Created: 2023-10-26