PwnKit Local Privilege Escalation
Detects potential PwnKit exploitation CVE-2021-4034 in auth logs
Sigma rule (View on GitHub)
1title: PwnKit Local Privilege Escalation
2id: 0506a799-698b-43b4-85a1-ac4c84c720e9
3status: test
4description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs
5references:
6 - https://twitter.com/wdormann/status/1486161836961579020
7author: Sreeman
8date: 2022-01-26
9modified: 2024-09-11
10tags:
11 - attack.privilege-escalation
12 - attack.t1548.001
13 - detection.emerging-threats
14 - cve.2021-4034
15logsource:
16 product: linux
17 service: auth
18detection:
19 keywords:
20 '|all':
21 - 'pkexec'
22 - 'The value for environment variable XAUTHORITY contains suspicious content'
23 - '[USER=root] [TTY=/dev/pts/0]'
24 condition: keywords
25falsepositives:
26 - Unknown
27level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- APT PRIVATELOG Image Load Pattern
- APT27 - Emissary Panda Activity
- Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
- Atomic MacOS Stealer - Persistence Indicators
- Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)