Techniques
Sample rules
Linux Sudo Chroot Execution
- source: sigma
- technicques:
- t1068
Description
Detects the execution of ‘sudo’ command with ‘–chroot’ option, which is used to change the root directory for command execution. Attackers may use this technique to evade detection and execute commands in a modified environment. This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463. While investigating, look out for unusual or unexpected use of ‘sudo –chroot’ in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts.
Detection logic
condition: selection
selection:
CommandLine|contains:
- ' --chroot '
- 'sudo -R '
Image|endswith: /sudo