
Summary
This detection rule targets potential privilege escalation attempts involving PHP on Linux systems. It specifically identifies the execution of PHP commands leveraging 'sudo' and 'system', indicating that an attacker might attempt to execute system-level commands with elevated privileges. The detection is built upon data collected from Endpoint Detection and Response (EDR) agents, focusing on the nuances of process command-line arguments to pinpoint suspicious activities. The importance of this detection stems from the ability of observed behaviors to signify attacks aiming to gain full root access, which could compromise the entire Linux system. The analytic incorporates extensive event logging from Sysmon for Linux, thereby ensuring an in-depth analysis of process activity, while also recommending careful filtering due to the possibility of false positives.
Categories
- Linux
- Endpoint
Data Sources
- Pod
- Container
- User Account
- Process
ATT&CK Techniques
- T1548.003
- T1548
Created: 2024-11-13