Techniques
Sample rules
Linux Binary Launched Process with Null Argv
- source: splunk
- technicques:
Description
The following analytic detects kernel-level events where a setuid binary launches a shell or interpreter with a NULL argument vector, which occurs when a privilege escalation exploit gains root and executes a process via execve() without constructing a legitimate argument array.
Detection logic
sourcetype="linux_messages_syslog" "NULL argv" "empty string added"
| rex field=_raw "process '(?<launching_process>[^']+)' launched '(?<launched_process>[^']+)' with NULL argv"
| where isnotnull(launching_process) AND isnotnull(launched_process)
| stats
count AS occurrences,
min(_time) AS firstTime,
max(_time) AS lastTime,
values(_raw) AS message,
values(host) AS dest
by host, launching_process, launched_process
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table dest, launching_process, launched_process,
firstTime, lastTime, occurrences, message
| `linux_binary_launched_process_with_null_argv_filter`