Potential Privilege Escalation via SUID/SGID

 1[metadata]
 2creation_date = "2026/05/18"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2026/05/18"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects potential privilege escalation under the root effective user when the real user and parent user are not
11root, indicative of the execution of binaries with SUID or SGID bits set.
12"""
13false_positives = [
14    """
15    Some automation or break-glass tooling may invoke SUID binaries from scripts under /home; validate parent identity and
16    change tickets before escalating.
17    """,
18]
19from = "now-6m"
20index = ["logs-endpoint.events.process*"]
21language = "eql"
22license = "Elastic License v2"
23name = "Potential Privilege Escalation via SUID/SGID"
24note = """## Triage and analysis
25
26### Investigating Potential Privilege Escalation via SUID/SGID
27
28Adversaries exploit misconfigured SUID/SGID binaries to gain elevated access or persistence. This rule identifies processes running with root privileges but initiated by non-root users, flagging potential misuse of SUID/SGID permissions.
29
30### Possible investigation steps
31
32- Inspect `process.parent.command_line` and working directory for obfuscation or one-liners.
33- Check authentication and sudoers policy for the user.
34- Pivot on the host for additional privilege escalation or persistence in the same session.
35
36### Response and remediation
37
38- If unauthorized, contain the session, revoke elevated access, and review sudoers and polkit policy for tampering.
39"""
40references = [
41    "https://attack.mitre.org/techniques/T1548/",
42]
43risk_score = 73
44rule_id = "769a2e72-11bd-437b-9503-e51e7790d273"
45severity = "high"
46tags = [
47    "Data Source: Elastic Defend",
48    "Domain: Endpoint",
49    "OS: Linux",
50    "Use Case: Threat Detection",
51    "Tactic: Privilege Escalation",
52    "Resources: Investigation Guide",
53]
54timestamp_override = "event.ingested"
55type = "eql"
56query = '''
57process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
58  (process.user.id == "0" and process.real_user.id != "0" and process.parent.user.id != "0") or
59  (process.group.id == "0" and process.real_group.id != "0" and process.parent.group.id != "0")
60) and
61(
62  startsWith(process.executable, process.command_line) or
63  startsWith(process.name, process.command_line)
64) and
65(
66  process.parent.name like (".*", "python*", "perl*", "ruby*", "lua*", "php*", "node", "deno", "bun", "java") or
67  process.parent.executable like ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/run/user/*", "/var/run/user/*", "/home/*/*") or
68  (
69    process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "mksh") and
70    process.parent.args in ("-c", "-cl", "-lc", "--command", "-ic", "-ci", "-bash", "-sh", "-zsh", "-dash", "-fish", "-ksh", "-mksh") and
71    process.parent.args_count <= 4
72  )
73)
74'''
75
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78
79[[rule.threat.technique]]
80id = "T1548"
81name = "Abuse Elevation Control Mechanism"
82reference = "https://attack.mitre.org/techniques/T1548/"
83
84[[rule.threat.technique.subtechnique]]
85id = "T1548.001"
86name = "Setuid and Setgid"
87reference = "https://attack.mitre.org/techniques/T1548/001/"
88
89[[rule.threat.technique.subtechnique]]
90id = "T1548.003"
91name = "Sudo and Sudo Caching"
92reference = "https://attack.mitre.org/techniques/T1548/003/"
93
94[rule.threat.tactic]
95id = "TA0004"
96name = "Privilege Escalation"
97reference = "https://attack.mitre.org/tactics/TA0004/"