field mapping differences between auditd versions can occasionally mis-populate effective versus real user ids; validate raw audit fields when triaging unexpected hits.

t1548
linux
elastic

Techniques

T1548

Sample rules

Potential Root Effective Shell from Non-Standard Path via Auditd

source: elastic
technicques:
- T1548

Description

Identifies process execution events where the effective user is root while the real user is not, the process arguments include the privileged shell flag commonly associated with setuid-capable shells, and the executable path is outside standard system binary directories. That combination is consistent with abuse of setuid shells or similar helpers copied or linked into writable locations, a pattern used to regain a root context after local exploitation.

Detection logic

host.os.type:linux and event.category:process and 
event.action:(exec or executed) and user.id:(* and not 0) and 
process.executable:(* and not (/bin/* or /nix/store/*/bin/sudo or /run/wrappers/wrappers*/sudo or /sbin/* or /usr/bin/* or /usr/sbin/*)) and 
user.effective.id:0 and process.args:-p