Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation
Detects the creation of nsswitch.conf files in non-standard directories, which may indicate exploitation of CVE-2025-32463. This vulnerability requires an attacker to create a nsswitch.conf in a directory that will be used during sudo chroot operations. When sudo executes, it loads malicious shared libraries from user-controlled locations within the chroot environment, potentially leading to arbitrary code execution and privilege escalation.
Sigma rule (View on GitHub)
1title: Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation
2id: 10ac0730-c24e-4f4c-81f8-b13a1ac95a1d
3status: experimental
4description: |
5 Detects the creation of nsswitch.conf files in non-standard directories, which may indicate exploitation of CVE-2025-32463.
6 This vulnerability requires an attacker to create a nsswitch.conf in a directory that will be used during sudo chroot operations.
7 When sudo executes, it loads malicious shared libraries from user-controlled locations within the chroot environment,
8 potentially leading to arbitrary code execution and privilege escalation.
9references:
10 - https://github.com/kh4sh3i/CVE-2025-32463/blob/81bb430f84fa2089224733c3ed4bfa434c197ad4/exploit.sh
11author: Swachchhanda Shrawn Poudel (Nextron Systems)
12date: 2025-10-02
13tags:
14 - attack.privilege-escalation
15 - attack.t1068
16 - cve.2025-32463
17 - detection.emerging-threats
18logsource:
19 category: file_event
20 product: linux
21detection:
22 selection:
23 TargetFilename|endswith: '/etc/nsswitch.conf'
24 filter_main_legitimate_path:
25 TargetFilename: '/etc/nsswitch.conf'
26 condition: selection and not 1 of filter_main_*
27falsepositives:
28 - Backup locations
29level: high
References
Related rules
- Suspicious Sysmon as Execution Parent
- Potential CVE-2024-35250 Exploitation Activity
- Exploiting CVE-2019-1388
- Potential CVE-2021-41379 Exploitation Attempt
- InstallerFileTakeOver LPE CVE-2021-41379 File Create Event