IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Potential Privilege Escalation via Recently Compiled Executableedit
This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or software privilege escalation exploit.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Privilege Escalation
- Use Case: Vulnerability
- Data Source: Elastic Defend
Version: 3
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule queryedit
sequence by host.id with maxspan=1m
[process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
process.name in ("gcc", "g++", "cc") and user.id != "0"] by process.args
[file where host.os.type == "linux" and event.action == "creation" and event.type == "creation" and
process.name == "ld" and user.id != "0"] by file.name
[process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
user.id != "0"] by process.name
[process where host.os.type == "linux" and event.action in ("uid_change", "guid_change") and event.type == "change" and
user.id == "0"] by process.name
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Exploitation for Privilege Escalation
- ID: T1068
- Reference URL: https://attack.mitre.org/techniques/T1068/