PwnKit Local Privilege Escalation
Detects potential PwnKit exploitation CVE-2021-4034 in auth logs
Sigma rule (View on GitHub)
1title: PwnKit Local Privilege Escalation
2id: 0506a799-698b-43b4-85a1-ac4c84c720e9
3status: test
4description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs
5references:
6 - https://twitter.com/wdormann/status/1486161836961579020
7author: Sreeman
8date: 2022/01/26
9modified: 2023/01/23
10tags:
11 - attack.privilege_escalation
12 - attack.t1548.001
13logsource:
14 product: linux
15 service: auth
16detection:
17 keywords:
18 '|all':
19 - 'pkexec'
20 - 'The value for environment variable XAUTHORITY contains suscipious content'
21 - '[USER=root] [TTY=/dev/pts/0]'
22 condition: keywords
23falsepositives:
24 - Unknown
25level: high
References
Related rules
- Find Binary Searching for Executables with Setuid or Setguid Bit (RedCanary Threat Detection Report)
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- HackTool - SysmonEOP Execution
- Huawei BGP Authentication Failures