PwnKit Local Privilege Escalation

Sep 13, 2024 · attack.privilege-escalation attack.t1548.001 ·

Detects potential PwnKit exploitation CVE-2021-4034 in auth logs

Sigma rule (View on GitHub)

 1title: PwnKit Local Privilege Escalation
 2id: 0506a799-698b-43b4-85a1-ac4c84c720e9
 3status: test
 4description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs
 5references:
 6    - https://twitter.com/wdormann/status/1486161836961579020
 7author: Sreeman
 8date: 2022-01-26
 9modified: 2024-09-11
10tags:
11    - attack.privilege-escalation
12    - attack.t1548.001
13logsource:
14    product: linux
15    service: auth
16detection:
17    keywords:
18        '|all':
19            - 'pkexec'
20            - 'The value for environment variable XAUTHORITY contains suspicious content'
21            - '[USER=root] [TTY=/dev/pts/0]'
22    condition: keywords
23falsepositives:
24    - Unknown
25level: high

References

x.com

Read More

Related rules

CVE-2021-1675 Print Spooler Exploitation Filename Pattern
InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
Potential PrintNightmare Exploitation Attempt
Windows Spooler Service Suspicious Binary Load
Startup/Logon Script Added to Group Policy Object

PwnKit Local Privilege Escalation

Sigma rule (View on GitHub)

References

x.com

Related rules