Unusual Pkexec Execution
This rule detects the execution of the pkexec
command by a shell process. The pkexec
command is used to
execute programs as another user, typically as the superuser. Through the new_terms
rule type, unusual
executions of pkexec
are identified, and may indicate an attempt to escalate privileges or perform
unauthorized actions on the system.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2025/01/16"
3integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2025/01/23"
6min_stack_version = "8.13.0"
7min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects the execution of the `pkexec` command by a shell process. The `pkexec` command is used to
13execute programs as another user, typically as the superuser. Through the `new_terms` rule type, unusual
14executions of `pkexec` are identified, and may indicate an attempt to escalate privileges or perform
15unauthorized actions on the system.
16"""
17from = "now-9m"
18index = ["logs-endpoint.events.process*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
19language = "kuery"
20license = "Elastic License v2"
21name = "Unusual Pkexec Execution"
22risk_score = 21
23rule_id = "3ca81a95-d5af-4b77-b0ad-b02bc746f640"
24setup = """## Setup
25
26This rule requires data coming in from one of the following integrations:
27- Elastic Defend
28
29### Elastic Defend Integration Setup
30Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
31
32#### Prerequisite Requirements:
33- Fleet is required for Elastic Defend.
34- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
35
36#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
37- Go to the Kibana home page and click "Add integrations".
38- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
39- Click "Add Elastic Defend".
40- Configure the integration name and optionally add a description.
41- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
42- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
43- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
44- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
45For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
46- Click "Save and Continue".
47- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
48For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
49
50### Auditbeat Setup
51Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
52
53#### The following steps should be executed in order to add the Auditbeat on a Linux System:
54- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
55- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
56- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
57- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
58- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
59"""
60severity = "low"
61tags = [
62 "Domain: Endpoint",
63 "OS: Linux",
64 "Use Case: Threat Detection",
65 "Tactic: Execution",
66 "Tactic: Persistence",
67 "Data Source: Elastic Endgame",
68 "Data Source: Elastic Defend",
69 "Data Source: Crowdstrike",
70 "Data Source: SentinelOne",
71 "Resources: Investigation Guide",
72]
73timestamp_override = "event.ingested"
74type = "new_terms"
75query = '''
76event.category:process and host.os.type:linux and event.type:start and
77event.action:(exec or exec_event or start or ProcessRollup2) and process.name:pkexec and
78process.args:pkexec and process.parent.name:(bash or dash or sh or tcsh or csh or zsh or ksh or fish)
79'''
80note = """## Triage and analysis
81
82> **Disclaimer**:
83> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
84
85### Investigating Unusual Pkexec Execution
86
87`Pkexec` is a command-line utility in Linux environments that allows users to execute commands as another user, often with elevated privileges. Adversaries may exploit `pkexec` to escalate privileges or execute unauthorized actions by invoking it through shell processes. The detection rule identifies atypical `pkexec` executions initiated by common shell interpreters, flagging potential misuse by monitoring specific process attributes and execution patterns.
88
89### Possible investigation steps
90
91- Review the process tree to understand the context of the pkexec execution, focusing on the parent process names such as bash, dash, sh, tcsh, csh, zsh, ksh, or fish, as these are indicative of shell-based invocations.
92- Examine the command-line arguments passed to pkexec to determine the intended action and assess whether it aligns with expected administrative tasks or appears suspicious.
93- Check the user account associated with the pkexec execution to verify if the account has legitimate reasons to perform such actions, and investigate any anomalies in user behavior or account activity.
94- Investigate the timing and frequency of the pkexec executions to identify patterns or correlations with other suspicious activities or known attack timelines.
95- Cross-reference the alert with other security logs and alerts from data sources like Elastic Endgame, Elastic Defend, Crowdstrike, or SentinelOne to gather additional context and corroborate findings.
96- Assess the system's current state for signs of compromise, such as unauthorized changes, unexpected network connections, or the presence of known malicious files or processes.
97
98### False positive analysis
99
100- Routine administrative tasks: System administrators may use pkexec for legitimate purposes, such as performing maintenance tasks. To handle this, create exceptions for known administrator accounts or specific maintenance scripts that regularly invoke pkexec.
101- Automated scripts: Some automated scripts or cron jobs might use pkexec to perform scheduled tasks. Identify these scripts and exclude their specific process names or paths from the rule to prevent false alerts.
102- Software updates: Certain software update processes might use pkexec to apply patches or updates. Monitor and document these processes, then configure exceptions for recognized update mechanisms.
103- Development environments: Developers might use pkexec during testing or development. Establish a list of development machines or user accounts and exclude them from the rule to reduce noise.
104- Custom user applications: Users may have custom applications that require pkexec for legitimate functionality. Review these applications and whitelist their specific execution patterns to avoid unnecessary alerts.
105
106### Response and remediation
107
108- Immediately isolate the affected system from the network to prevent potential lateral movement by the adversary.
109- Terminate any suspicious `pkexec` processes identified by the alert to halt unauthorized actions or privilege escalation attempts.
110- Review and analyze the parent shell process and its command history to understand the context and origin of the `pkexec` execution.
111- Reset credentials and review permissions for the user accounts involved to mitigate any unauthorized access or privilege escalation.
112- Conduct a thorough scan of the affected system for additional indicators of compromise or persistence mechanisms that may have been deployed.
113- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.
114- Update and enhance monitoring rules to detect similar `pkexec` misuse attempts in the future, ensuring comprehensive coverage of shell processes and privilege escalation activities."""
115
116[[rule.threat]]
117framework = "MITRE ATT&CK"
118
119[[rule.threat.technique]]
120id = "T1059"
121name = "Command and Scripting Interpreter"
122reference = "https://attack.mitre.org/techniques/T1059/"
123
124[rule.threat.tactic]
125id = "TA0002"
126name = "Execution"
127reference = "https://attack.mitre.org/tactics/TA0002/"
128
129[[rule.threat]]
130framework = "MITRE ATT&CK"
131
132[[rule.threat.technique]]
133id = "T1543"
134name = "Create or Modify System Process"
135reference = "https://attack.mitre.org/techniques/T1543/"
136
137[rule.threat.tactic]
138id = "TA0003"
139name = "Persistence"
140reference = "https://attack.mitre.org/tactics/TA0003/"
141
142[rule.new_terms]
143field = "new_terms_fields"
144value = ["process.parent.command_line"]
145
146[[rule.new_terms.history_window_start]]
147field = "history_window_start"
148value = "now-14d"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Unusual Pkexec Execution
Pkexec
is a command-line utility in Linux environments that allows users to execute commands as another user, often with elevated privileges. Adversaries may exploit pkexec
to escalate privileges or execute unauthorized actions by invoking it through shell processes. The detection rule identifies atypical pkexec
executions initiated by common shell interpreters, flagging potential misuse by monitoring specific process attributes and execution patterns.
Possible investigation steps
- Review the process tree to understand the context of the pkexec execution, focusing on the parent process names such as bash, dash, sh, tcsh, csh, zsh, ksh, or fish, as these are indicative of shell-based invocations.
- Examine the command-line arguments passed to pkexec to determine the intended action and assess whether it aligns with expected administrative tasks or appears suspicious.
- Check the user account associated with the pkexec execution to verify if the account has legitimate reasons to perform such actions, and investigate any anomalies in user behavior or account activity.
- Investigate the timing and frequency of the pkexec executions to identify patterns or correlations with other suspicious activities or known attack timelines.
- Cross-reference the alert with other security logs and alerts from data sources like Elastic Endgame, Elastic Defend, Crowdstrike, or SentinelOne to gather additional context and corroborate findings.
- Assess the system's current state for signs of compromise, such as unauthorized changes, unexpected network connections, or the presence of known malicious files or processes.
False positive analysis
- Routine administrative tasks: System administrators may use pkexec for legitimate purposes, such as performing maintenance tasks. To handle this, create exceptions for known administrator accounts or specific maintenance scripts that regularly invoke pkexec.
- Automated scripts: Some automated scripts or cron jobs might use pkexec to perform scheduled tasks. Identify these scripts and exclude their specific process names or paths from the rule to prevent false alerts.
- Software updates: Certain software update processes might use pkexec to apply patches or updates. Monitor and document these processes, then configure exceptions for recognized update mechanisms.
- Development environments: Developers might use pkexec during testing or development. Establish a list of development machines or user accounts and exclude them from the rule to reduce noise.
- Custom user applications: Users may have custom applications that require pkexec for legitimate functionality. Review these applications and whitelist their specific execution patterns to avoid unnecessary alerts.
Response and remediation
- Immediately isolate the affected system from the network to prevent potential lateral movement by the adversary.
- Terminate any suspicious
pkexec
processes identified by the alert to halt unauthorized actions or privilege escalation attempts. - Review and analyze the parent shell process and its command history to understand the context and origin of the
pkexec
execution. - Reset credentials and review permissions for the user accounts involved to mitigate any unauthorized access or privilege escalation.
- Conduct a thorough scan of the affected system for additional indicators of compromise or persistence mechanisms that may have been deployed.
- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.
- Update and enhance monitoring rules to detect similar
pkexec
misuse attempts in the future, ensuring comprehensive coverage of shell processes and privilege escalation activities.
Related rules
- Manual Dracut Execution
- Git Hook Child Process
- Simple HTTP Web Server Creation
- Boot File Copy
- Dracut Module Creation