Potential Privilege Escalation via Recently Compiled Executable
This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or software privilege escalation exploit.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/28"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/08/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent
13alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or
14software privilege escalation exploit.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Privilege Escalation via Recently Compiled Executable"
21risk_score = 47
22rule_id = "193549e8-bb9e-466a-a7f9-7e783f5cb5a6"
23severity = "medium"
24tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
25type = "eql"
26query = '''
27sequence by host.id with maxspan=1m
28 [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
29 process.name in ("gcc", "g++", "cc") and user.id != "0"] by process.args
30 [file where host.os.type == "linux" and event.action == "creation" and event.type == "creation" and
31 process.name == "ld" and user.id != "0"] by file.name
32 [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
33 user.id != "0"] by process.name
34 [process where host.os.type == "linux" and event.action in ("uid_change", "guid_change") and event.type == "change" and
35 user.id == "0"] by process.name
36'''
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40
41[[rule.threat.technique]]
42id = "T1068"
43name = "Exploitation for Privilege Escalation"
44reference = "https://attack.mitre.org/techniques/T1068/"
45
46[rule.threat.tactic]
47id = "TA0004"
48name = "Privilege Escalation"
49reference = "https://attack.mitre.org/tactics/TA0004/"
Related rules
- Network Connection via Recently Compiled Executable
- Potential Linux Tunneling and/or Port Forwarding
- Potential Protocol Tunneling via Chisel Client
- Potential Protocol Tunneling via Chisel Server
- Suspicious Utility Launched via ProxyChains