PwnKit Local Privilege Escalation
Detects potential PwnKit exploitation CVE-2021-4034 in auth logs
Sigma rule (View on GitHub)
1title: PwnKit Local Privilege Escalation
2id: 0506a799-698b-43b4-85a1-ac4c84c720e9
3status: test
4description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs
5references:
6 - https://twitter.com/wdormann/status/1486161836961579020
7author: Sreeman
8date: 2022-01-26
9modified: 2024-09-11
10tags:
11 - attack.defense-evasion
12 - attack.privilege-escalation
13 - attack.t1548.001
14 - detection.emerging-threats
15 - cve.2021-4034
16logsource:
17 product: linux
18 service: auth
19detection:
20 keywords:
21 '|all':
22 - 'pkexec'
23 - 'The value for environment variable XAUTHORITY contains suspicious content'
24 - '[USER=root] [TTY=/dev/pts/0]'
25 condition: keywords
26falsepositives:
27 - Unknown
28level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
- Potential PrintNightmare Exploitation Attempt
- Sudo Privilege Escalation CVE-2019-14287
- Sudo Privilege Escalation CVE-2019-14287 - Builtin
- Windows Spooler Service Suspicious Binary Load