Suspicious SUID Binary Execution

 1[metadata]
 2creation_date = "2026/04/30"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2026/04/30"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects execution of common privilege elevation helpers (su, sudo, pkexec, passwd, chsh, newgrp) under the root
11effective user when the real user and parent user are not root, combined with minimal argument counts and suspicious
12parent context (interpreters, short shell -c invocations, or parents running from user-writable paths).
13"""
14false_positives = [
15    """
16    Some automation or break-glass tooling may invoke sudo or su from scripts under /home; validate parent identity and
17    change tickets before escalating.
18    """,
19]
20from = "now-6m"
21index = ["logs-endpoint.events.process*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Suspicious SUID Binary Execution"
25note = """## Triage and analysis
26
27### Investigating Suspicious SUID Binary Execution
28
29Confirm whether the non-root real user should be invoking su, sudo, pkexec, or account utilities as root. Review the
30parent process tree, script path, and any preceding download or decode activity.
31
32### Possible investigation steps
33
34- Inspect `process.parent.command_line` and working directory for obfuscation or one-liners.
35- Check authentication and sudoers policy for the user.
36- Pivot on the host for additional privilege escalation or persistence in the same session.
37
38### Response and remediation
39
40- If unauthorized, contain the session, revoke elevated access, and review sudoers and polkit policy for tampering.
41"""
42references = [
43    "https://attack.mitre.org/techniques/T1548/",
44]
45risk_score = 73
46rule_id = "e7856173-6489-449f-80ec-c1f5fcd7b87c"
47severity = "high"
48tags = [
49    "Data Source: Elastic Defend",
50    "Domain: Endpoint",
51    "OS: Linux",
52    "Use Case: Threat Detection",
53    "Tactic: Privilege Escalation",
54    "Resources: Investigation Guide",
55]
56timestamp_override = "event.ingested"
57type = "query"
58query = '''
59host.os.type:linux and event.category:process and event.action:"exec" and
60process.name:("su" or "sudo" or "pkexec" or "passwd" or "chsh" or "newgrp") and
61process.user.id:"0" and not process.real_user.id:"0" and
62not process.parent.user.id:"0" and
63(
64  (process.name:("sudo" or "pkexec") and process.args_count:1) or
65  (process.name:("su" or "passwd" or "chsh" or "newgrp") and process.args_count <= 2)
66) and
67(
68  process.parent.name:(python* or perl* or ruby* or node or bun or java or php* or lua* or .*) or
69  process.parent.executable:(/tmp/* or /var/tmp/* or /dev/shm/* or /home/* or /run/user/*) or
70  (process.parent.name:(bash or sh or zsh or dash or fish or ksh) and 
71   (process.parent.command_line: (-bash or -sh or -zsh or -dash or -fish or -ksh) or 
72   (process.parent.args:("-c" or "--command" or "-ic" or "-ci") and process.parent.args_count <= 4)))
73)
74'''
75
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78
79[[rule.threat.technique]]
80id = "T1548"
81name = "Abuse Elevation Control Mechanism"
82reference = "https://attack.mitre.org/techniques/T1548/"
83
84[[rule.threat.technique.subtechnique]]
85id = "T1548.001"
86name = "Setuid and Setgid"
87reference = "https://attack.mitre.org/techniques/T1548/001/"
88
89[[rule.threat.technique.subtechnique]]
90id = "T1548.003"
91name = "Sudo and Sudo Caching"
92reference = "https://attack.mitre.org/techniques/T1548/003/"
93
94
95[rule.threat.tactic]
96id = "TA0004"
97name = "Privilege Escalation"
98reference = "https://attack.mitre.org/tactics/TA0004/"