Potential Privilege Escalation via Recently Compiled Executable

edit

Potential Privilege Escalation via Recently Compiled Executable

edit

This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or software privilege escalation exploit.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Privilege Escalation
  • Use Case: Vulnerability
  • Data Source: Elastic Defend

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
sequence by host.id with maxspan=1m
  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
   process.name in ("gcc", "g++", "cc") and user.id != "0"] by process.args
  [file where host.os.type == "linux" and event.action == "creation" and event.type == "creation" and
   process.name == "ld" and user.id != "0"] by file.name
  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
   user.id != "0"] by process.name
  [process where host.os.type == "linux" and event.action in ("uid_change", "guid_change") and event.type == "change" and
   user.id == "0"] by process.name

Framework: MITRE ATT&CKTM