Potential Privilege Escalation via PKEXEC

  1[metadata]
  2creation_date = "2022/01/26"
  3integration = ["endpoint", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment
 11variable injection. Successful exploitation allows an unprivileged user to escalate to the root user.
 12"""
 13from = "now-9m"
 14index = ["endgame-*", "logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Potential Privilege Escalation via PKEXEC"
 18note = """## Triage and analysis
 19
 20> **Disclaimer**:
 21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 22
 23### Investigating Potential Privilege Escalation via PKEXEC
 24
 25Polkit's pkexec is a command-line utility that allows an authorized user to execute commands as another user, typically root, in Linux environments. Adversaries exploit vulnerabilities like CVE-2021-4034 by injecting unsecure environment variables, enabling unauthorized privilege escalation. The detection rule identifies suspicious file paths indicative of such exploitation attempts, focusing on environment variable manipulation to preemptively flag potential threats.
 26
 27### Possible investigation steps
 28
 29- Review the alert details to confirm the presence of the file path pattern "/*GCONV_PATH*" on a Linux host, as this is indicative of the potential exploitation attempt.
 30- Examine the process execution history on the affected host to identify any instances of pkexec being executed around the time of the alert. Look for unusual or unauthorized command executions.
 31- Check the environment variables set during the pkexec execution to identify any suspicious or unauthorized modifications that could indicate an exploitation attempt.
 32- Investigate the user account associated with the alert to determine if it has a history of privilege escalation attempts or other suspicious activities.
 33- Analyze system logs and security events for any additional indicators of compromise or related suspicious activities that occurred before or after the alert.
 34- Assess the patch status of the affected system to determine if it is vulnerable to CVE-2021-4034 and ensure that appropriate security updates have been applied.
 35
 36### False positive analysis
 37
 38- Routine administrative tasks involving pkexec may trigger alerts if they involve environment variable manipulation. Review the context of the command execution to determine if it aligns with expected administrative behavior.
 39- Custom scripts or applications that legitimately use environment variables in their execution paths might be flagged. Identify these scripts and consider adding them to an exception list if they are verified as non-threatening.
 40- Automated system management tools that modify environment variables for legitimate purposes could cause false positives. Monitor these tools and exclude their known safe operations from the detection rule.
 41- Development environments where developers frequently test applications with varying environment variables might generate alerts. Establish a baseline of normal activity and exclude these patterns if they are consistent and verified as safe.
 42- Scheduled tasks or cron jobs that involve environment variable changes should be reviewed. If they are part of regular system maintenance, document and exclude them from triggering alerts.
 43
 44### Response and remediation
 45
 46- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement by the attacker.
 47- Terminate any suspicious processes associated with pkexec or unauthorized privilege escalation attempts to halt ongoing exploitation.
 48- Conduct a thorough review of system logs and file access records to identify any unauthorized changes or access patterns, focusing on the presence of GCONV_PATH in file paths.
 49- Revert any unauthorized changes made by the attacker, such as modifications to critical system files or configurations, to restore system integrity.
 50- Apply the latest security patches and updates to the polkit package to address CVE-2021-4034 and prevent future exploitation.
 51- Implement enhanced monitoring and alerting for similar privilege escalation attempts, ensuring that any future attempts are detected and responded to promptly.
 52- Report the incident to relevant internal security teams and, if necessary, escalate to external authorities or cybersecurity partners for further investigation and support."""
 53references = ["https://seclists.org/oss-sec/2022/q1/80", "https://haxx.in/files/blasty-vs-pkexec.c"]
 54risk_score = 73
 55rule_id = "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9"
 56setup = """## Setup
 57
 58This rule requires data coming in from Elastic Defend.
 59
 60### Elastic Defend Integration Setup
 61Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 62
 63#### Prerequisite Requirements:
 64- Fleet is required for Elastic Defend.
 65- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 66
 67#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 68- Go to the Kibana home page and click "Add integrations".
 69- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 70- Click "Add Elastic Defend".
 71- Configure the integration name and optionally add a description.
 72- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 73- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 74- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 75- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 76For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 77- Click "Save and Continue".
 78- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 79For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 80"""
 81severity = "high"
 82tags = [
 83    "Domain: Endpoint",
 84    "OS: Linux",
 85    "Use Case: Threat Detection",
 86    "Tactic: Privilege Escalation",
 87    "Data Source: Elastic Endgame",
 88    "Use Case: Vulnerability",
 89    "Data Source: Elastic Defend",
 90    "Data Source: SentinelOne",
 91    "Resources: Investigation Guide",
 92]
 93timestamp_override = "event.ingested"
 94type = "eql"
 95
 96query = '''
 97file where host.os.type == "linux" and file.path : "/*GCONV_PATH*"
 98'''
 99
100
101[[rule.threat]]
102framework = "MITRE ATT&CK"
103[[rule.threat.technique]]
104id = "T1068"
105name = "Exploitation for Privilege Escalation"
106reference = "https://attack.mitre.org/techniques/T1068/"
107
108
109[rule.threat.tactic]
110id = "TA0004"
111name = "Privilege Escalation"
112reference = "https://attack.mitre.org/tactics/TA0004/"
113[[rule.threat]]
114framework = "MITRE ATT&CK"
115[[rule.threat.technique]]
116id = "T1574"
117name = "Hijack Execution Flow"
118reference = "https://attack.mitre.org/techniques/T1574/"
119[[rule.threat.technique.subtechnique]]
120id = "T1574.007"
121name = "Path Interception by PATH Environment Variable"
122reference = "https://attack.mitre.org/techniques/T1574/007/"
123
124
125
126[rule.threat.tactic]
127id = "TA0005"
128name = "Defense Evasion"
129reference = "https://attack.mitre.org/tactics/TA0005/"