Suspicious SUID Binary Execution (Auditd Sequence)
Detects suspicious sequences where a non-root user launches a high-risk parent process (interpreter, shell one-liner, or execution from user-writable paths) and then quickly executes a common privilege elevation helper (su, sudo, pkexec, passwd, chsh, newgrp) that gains an effective UID of 0 while the real UID remains non-root. This can indicate misuse of SUID/SGID helpers, polkit/sudo abuse, or interactive privilege escalation attempts captured via Auditd Manager telemetry.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2026/05/08"
3integration = ["auditd_manager"]
4maturity = "production"
5updated_date = "2026/05/08"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects suspicious sequences where a non-root user launches a high-risk parent process (interpreter, shell one-liner, or
11execution from user-writable paths) and then quickly executes a common privilege elevation helper (su, sudo, pkexec,
12passwd, chsh, newgrp) that gains an effective UID of 0 while the real UID remains non-root. This can indicate misuse of
13SUID/SGID helpers, polkit/sudo abuse, or interactive privilege escalation attempts captured via Auditd Manager telemetry.
14"""
15false_positives = [
16 """
17 Some break-glass workflows or automation may legitimately invoke sudo/su from scripts under user home directories.
18 Validate the initiating user, parent context, and change approvals; tune by known admin tooling paths or accounts.
19 """,
20]
21from = "now-9m"
22index = ["auditbeat-*", "logs-auditd_manager.auditd-*"]
23language = "eql"
24license = "Elastic License v2"
25name = "Suspicious SUID Binary Execution (Auditd Sequence)"
26note = """## Triage and analysis
27
28### Investigating Suspicious SUID Binary Execution (Auditd Sequence)
29
30Confirm whether the non-root real user should be invoking su, sudo, pkexec, or account utilities as root. Review the
31parent process chain and whether the parent executable location or shell invocation suggests a one-liner or staging
32from user-writable paths.
33
34### Possible investigation steps
35
36- Review process details for script paths, temp directory execution, or suspicious interpreters.
37- Check sudoers / polkit policy changes and recent authentication events for the user.
38- Pivot for follow-on persistence (cron, systemd units) or credential access from the same session.
39
40### Response and remediation
41
42- If unauthorized, contain the session, revoke elevated access, and review sudoers and polkit configuration for tampering.
43"""
44references = [
45 "https://attack.mitre.org/techniques/T1548/",
46 "https://docs.elastic.co/integrations/auditd_manager",
47]
48risk_score = 47
49rule_id = "50eba7ec-d3f0-474c-a7f4-0906b68e350f"
50severity = "medium"
51tags = [
52 "Data Source: Auditd Manager",
53 "Domain: Endpoint",
54 "OS: Linux",
55 "Use Case: Threat Detection",
56 "Tactic: Privilege Escalation",
57 "Resources: Investigation Guide",
58]
59timestamp_override = "event.ingested"
60type = "eql"
61query = '''
62sequence by host.id with maxspan=30s
63 [process where host.os.type == "linux" and event.type == "start" and
64 event.action == "executed" and
65 user.id != "0" and user.effective.id != "0" and
66 (
67 process.name like ("python*", "perl*", "ruby*", "php*", "lua*", ".*") or
68 process.name in ("node", "bun", "java") or
69 process.executable like ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/run/user/*", "/var/run/user/*", "/home/*/*") or
70 (
71 process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "mksh") and
72 process.args in ("-c", "--command", "-ic", "-ci", "-cl", "-lc")
73 )
74 )
75 ] by process.pid
76
77 [process where host.os.type == "linux" and event.type == "start" and
78 event.action == "executed" and
79 user.effective.id == "0" and user.id != "0" and
80 (
81 (process.name in ("sudo", "pkexec") and
82 not process.args like "-*" and
83 not process.args : ("/usr/*", "/bin/*", "/sbin/*", "/opt/*")) or
84 (process.name == "su" and
85 not process.args in ("--command", "-c", "--shell", "-s")) or
86 (process.name in ("passwd", "chsh", "newgrp") and
87 not process.args in ("--shell", "-s", "--help"))
88 )
89 ] by process.parent.pid
90'''
91
92[[rule.threat]]
93framework = "MITRE ATT&CK"
94
95[[rule.threat.technique]]
96id = "T1548"
97name = "Abuse Elevation Control Mechanism"
98reference = "https://attack.mitre.org/techniques/T1548/"
99
100[[rule.threat.technique.subtechnique]]
101id = "T1548.001"
102name = "Setuid and Setgid"
103reference = "https://attack.mitre.org/techniques/T1548/001/"
104
105[[rule.threat.technique.subtechnique]]
106id = "T1548.003"
107name = "Sudo and Sudo Caching"
108reference = "https://attack.mitre.org/techniques/T1548/003/"
109
110[rule.threat.tactic]
111id = "TA0004"
112name = "Privilege Escalation"
113reference = "https://attack.mitre.org/tactics/TA0004/"
Triage and analysis
Investigating Suspicious SUID Binary Execution (Auditd Sequence)
Confirm whether the non-root real user should be invoking su, sudo, pkexec, or account utilities as root. Review the parent process chain and whether the parent executable location or shell invocation suggests a one-liner or staging from user-writable paths.
Possible investigation steps
- Review process details for script paths, temp directory execution, or suspicious interpreters.
- Check sudoers / polkit policy changes and recent authentication events for the user.
- Pivot for follow-on persistence (cron, systemd units) or credential access from the same session.
Response and remediation
- If unauthorized, contain the session, revoke elevated access, and review sudoers and polkit configuration for tampering.
References
Related rules
- Potential Privilege Escalation via unshare Followed by Root Process
- Potential Privilege Escalation in Container via Runc Init
- Nsenter to PID Namespace via Auditd
- Chroot Execution in Container Context on Linux
- Unusual Process Connection to Docker or Containerd Socket