PwnKit Local Privilege Escalation

Detects potential PwnKit exploitation CVE-2021-4034 in auth logs

Sigma rule (View on GitHub)

 1title: PwnKit Local Privilege Escalation
 2id: 0506a799-698b-43b4-85a1-ac4c84c720e9
 3status: test
 4description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs
 5references:
 6    - https://twitter.com/wdormann/status/1486161836961579020
 7author: Sreeman
 8date: 2022/01/26
 9modified: 2023/01/23
10tags:
11    - attack.privilege_escalation
12    - attack.t1548.001
13logsource:
14    product: linux
15    service: auth
16detection:
17    keywords:
18        '|all':
19            - 'pkexec'
20            - 'The value for environment variable XAUTHORITY contains suscipious content'
21            - '[USER=root] [TTY=/dev/pts/0]'
22    condition: keywords
23falsepositives:
24    - Unknown
25level: high

References

Related rules

to-top