LoFP LoFP / legitimate false positives are rare but can occur when custom or poorly written setuid binaries, pam modules, or login frameworks invoke shells programmatically without constructing a proper argv array. however, mainstream setuid binaries like su, sudo, and pkexec on modern linux distributions always pass arguments, so any hit involving those specific processes should be treated as high confidence.

Techniques

Sample rules

Linux Binary Launched Process with Null Argv

Description

The following analytic detects kernel-level events where a setuid binary launches a shell or interpreter with a NULL argument vector, which occurs when a privilege escalation exploit gains root and executes a process via execve() without constructing a legitimate argument array.

Detection logic

sourcetype="linux_messages_syslog" "NULL argv" "empty string added"

| rex field=_raw "process '(?<launching_process>[^']+)' launched '(?<launched_process>[^']+)' with NULL argv"

| where isnotnull(launching_process) AND isnotnull(launched_process)

| stats
    count                        AS occurrences,
    min(_time)                   AS firstTime,
    max(_time)                   AS lastTime,
    values(_raw)                 AS message,
    values(host)                 AS dest
    by host, launching_process, launched_process

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| table dest, launching_process, launched_process,
        firstTime, lastTime, occurrences, message

| `linux_binary_launched_process_with_null_argv_filter`