PwnKit Local Privilege Escalation

calendar Oct 23, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1548.001  ·
Share on: linkedin copy

Detects potential PwnKit exploitation CVE-2021-4034 in auth logs

Sigma rule (View on GitHub)

 1title: PwnKit Local Privilege Escalation
 2id: 0506a799-698b-43b4-85a1-ac4c84c720e9
 3status: test
 4description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs
 5references:
 6    - https://twitter.com/wdormann/status/1486161836961579020
 7author: Sreeman
 8date: 2022-01-26
 9modified: 2024-09-11
10tags:
11    - attack.defense-evasion
12    - attack.privilege-escalation
13    - attack.t1548.001
14logsource:
15    product: linux
16    service: auth
17detection:
18    keywords:
19        '|all':
20            - 'pkexec'
21            - 'The value for environment variable XAUTHORITY contains suspicious content'
22            - '[USER=root] [TTY=/dev/pts/0]'
23    condition: keywords
24falsepositives:
25    - Unknown
26level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

Related rules

to-top