IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Potential Privilege Escalation via Recently Compiled Executable
editPotential Privilege Escalation via Recently Compiled Executable
editThis rule monitors a sequence involving a program compilation event followed by its execution and a subsequent alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or software privilege escalation exploit.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Privilege Escalation
- Use Case: Vulnerability
- Data Source: Elastic Defend
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editsequence by host.id with maxspan=1m [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name in ("gcc", "g++", "cc") and user.id != "0"] by process.args [file where host.os.type == "linux" and event.action == "creation" and event.type == "creation" and process.name == "ld" and user.id != "0"] by file.name [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and user.id != "0"] by process.name [process where host.os.type == "linux" and event.action in ("uid_change", "guid_change") and event.type == "change" and user.id == "0"] by process.name
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Exploitation for Privilege Escalation
- ID: T1068
- Reference URL: https://attack.mitre.org/techniques/T1068/