Potential Privilege Escalation via Recently Compiled Executable
This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or software privilege escalation exploit.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/28"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent
11alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or
12software privilege escalation exploit.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Potential Privilege Escalation via Recently Compiled Executable"
19risk_score = 47
20rule_id = "193549e8-bb9e-466a-a7f9-7e783f5cb5a6"
21setup = """## Setup
22
23This rule requires data coming in from Elastic Defend.
24
25### Elastic Defend Integration Setup
26Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
27
28#### Prerequisite Requirements:
29- Fleet is required for Elastic Defend.
30- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
31
32#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
33- Go to the Kibana home page and click "Add integrations".
34- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
35- Click "Add Elastic Defend".
36- Configure the integration name and optionally add a description.
37- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
38- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
39- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
40- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
41For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
42- Click "Save and Continue".
43- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
44For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
45"""
46severity = "medium"
47tags = [
48 "Domain: Endpoint",
49 "OS: Linux",
50 "Use Case: Threat Detection",
51 "Tactic: Privilege Escalation",
52 "Use Case: Vulnerability",
53 "Data Source: Elastic Defend",
54 "Resources: Investigation Guide",
55]
56type = "eql"
57
58query = '''
59sequence by host.id with maxspan=1m
60 [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
61 process.name in ("gcc", "g++", "cc") and user.id != "0"] by process.args
62 [file where host.os.type == "linux" and event.action == "creation" and event.type == "creation" and
63 process.name == "ld" and user.id != "0"] by file.name
64 [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
65 user.id != "0"] by process.name
66 [process where host.os.type == "linux" and event.action in ("uid_change", "guid_change") and event.type == "change" and
67 user.id == "0"] by process.name
68'''
69note = """## Triage and analysis
70
71> **Disclaimer**:
72> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
73
74### Investigating Potential Privilege Escalation via Recently Compiled Executable
75
76In Linux environments, compiling and executing programs is a routine operation. However, adversaries can exploit this by compiling malicious code to escalate privileges. This detection rule identifies suspicious sequences where a non-root user compiles and executes a program, followed by a UID change to root, indicating potential privilege escalation attempts. By monitoring these patterns, the rule helps in identifying and mitigating exploitation risks.
77
78### Possible investigation steps
79
80- Review the alert details to identify the specific non-root user involved in the compilation and execution sequence. Check the user.id field to gather more information about the user's activities and permissions.
81- Examine the process.args field from the initial compilation event to understand the source code or script being compiled. This can provide insights into whether the code has malicious intent.
82- Investigate the file.name field associated with the creation event to determine the nature of the executable file created. Check its location and any associated metadata for anomalies.
83- Analyze the process.name field from the execution event to identify the program that was run. Cross-reference this with known malicious binaries or scripts.
84- Check the process.name field in the UID change event to identify the process responsible for the privilege escalation. Determine if this process is known to exploit vulnerabilities for privilege escalation.
85- Review system logs and other security tools for any additional suspicious activities or anomalies around the time of the alert to gather more context on the potential threat.
86- Assess the system for any signs of compromise or unauthorized changes, such as new user accounts, altered configurations, or unexpected network connections, to evaluate the impact and scope of the incident.
87
88### False positive analysis
89
90- Development activities by legitimate users can trigger this rule when compiling and testing new software. To manage this, consider creating exceptions for specific users or groups known to perform regular development tasks.
91- Automated build systems or continuous integration pipelines may compile and execute code as part of their normal operation. Exclude these systems by identifying their user accounts or host identifiers.
92- System administrators performing maintenance or updates might compile and execute programs, leading to false positives. Implement exceptions for these users or specific maintenance windows.
93- Educational environments where students frequently compile and execute code for learning purposes can generate alerts. Exclude these activities by setting up exceptions for student user accounts or specific lab environments.
94- Security testing and research activities that involve compiling and executing exploit code in a controlled manner can be mistaken for malicious behavior. Exclude these activities by identifying the user accounts or systems involved in such testing.
95
96### Response and remediation
97
98- Immediately isolate the affected host from the network to prevent further unauthorized access or lateral movement.
99- Terminate any suspicious processes identified in the alert, especially those associated with the compiled executable and any processes running with elevated privileges.
100- Revert any unauthorized changes to user permissions, particularly any UID changes to root, to restore the system to its secure state.
101- Conduct a thorough review of the affected system for additional indicators of compromise, such as unauthorized file modifications or new user accounts, and remove any malicious artifacts.
102- Apply relevant security patches and updates to the system to address any vulnerabilities that may have been exploited for privilege escalation.
103- Monitor the affected system and network for any signs of recurring or related suspicious activity, using enhanced logging and alerting mechanisms.
104- Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected, ensuring comprehensive remediation across the environment."""
105
106
107[[rule.threat]]
108framework = "MITRE ATT&CK"
109[[rule.threat.technique]]
110id = "T1068"
111name = "Exploitation for Privilege Escalation"
112reference = "https://attack.mitre.org/techniques/T1068/"
113
114
115[rule.threat.tactic]
116id = "TA0004"
117name = "Privilege Escalation"
118reference = "https://attack.mitre.org/tactics/TA0004/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Potential Privilege Escalation via Recently Compiled Executable
In Linux environments, compiling and executing programs is a routine operation. However, adversaries can exploit this by compiling malicious code to escalate privileges. This detection rule identifies suspicious sequences where a non-root user compiles and executes a program, followed by a UID change to root, indicating potential privilege escalation attempts. By monitoring these patterns, the rule helps in identifying and mitigating exploitation risks.
Possible investigation steps
- Review the alert details to identify the specific non-root user involved in the compilation and execution sequence. Check the user.id field to gather more information about the user's activities and permissions.
- Examine the process.args field from the initial compilation event to understand the source code or script being compiled. This can provide insights into whether the code has malicious intent.
- Investigate the file.name field associated with the creation event to determine the nature of the executable file created. Check its location and any associated metadata for anomalies.
- Analyze the process.name field from the execution event to identify the program that was run. Cross-reference this with known malicious binaries or scripts.
- Check the process.name field in the UID change event to identify the process responsible for the privilege escalation. Determine if this process is known to exploit vulnerabilities for privilege escalation.
- Review system logs and other security tools for any additional suspicious activities or anomalies around the time of the alert to gather more context on the potential threat.
- Assess the system for any signs of compromise or unauthorized changes, such as new user accounts, altered configurations, or unexpected network connections, to evaluate the impact and scope of the incident.
False positive analysis
- Development activities by legitimate users can trigger this rule when compiling and testing new software. To manage this, consider creating exceptions for specific users or groups known to perform regular development tasks.
- Automated build systems or continuous integration pipelines may compile and execute code as part of their normal operation. Exclude these systems by identifying their user accounts or host identifiers.
- System administrators performing maintenance or updates might compile and execute programs, leading to false positives. Implement exceptions for these users or specific maintenance windows.
- Educational environments where students frequently compile and execute code for learning purposes can generate alerts. Exclude these activities by setting up exceptions for student user accounts or specific lab environments.
- Security testing and research activities that involve compiling and executing exploit code in a controlled manner can be mistaken for malicious behavior. Exclude these activities by identifying the user accounts or systems involved in such testing.
Response and remediation
- Immediately isolate the affected host from the network to prevent further unauthorized access or lateral movement.
- Terminate any suspicious processes identified in the alert, especially those associated with the compiled executable and any processes running with elevated privileges.
- Revert any unauthorized changes to user permissions, particularly any UID changes to root, to restore the system to its secure state.
- Conduct a thorough review of the affected system for additional indicators of compromise, such as unauthorized file modifications or new user accounts, and remove any malicious artifacts.
- Apply relevant security patches and updates to the system to address any vulnerabilities that may have been exploited for privilege escalation.
- Monitor the affected system and network for any signs of recurring or related suspicious activity, using enhanced logging and alerting mechanisms.
- Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected, ensuring comprehensive remediation across the environment.
Related rules
- Potential Privilege Escalation via CVE-2023-4911
- Potential Privilege Escalation via Enlightenment
- Potential Privilege Escalation via OverlayFS
- Potential Privilege Escalation via PKEXEC
- Potential Sudo Privilege Escalation via CVE-2019-14287