Techniques
Sample rules
Suspicious SUID Binary Execution (Auditd Sequence)
- source: elastic
- technicques:
- T1548
Description
Detects suspicious sequences where a non-root user launches a high-risk parent process (interpreter, shell one-liner, or execution from user-writable paths) and then quickly executes a common privilege elevation helper (su, sudo, pkexec, passwd, chsh, newgrp) that gains an effective UID of 0 while the real UID remains non-root. This can indicate misuse of SUID/SGID helpers, polkit/sudo abuse, or interactive privilege escalation attempts captured via Auditd Manager telemetry.
Detection logic
sequence by host.id with maxspan=30s
[process where host.os.type == "linux" and event.type == "start" and
event.action == "executed" and
user.id != "0" and user.effective.id != "0" and
(
process.name like ("python*", "perl*", "ruby*", "php*", "lua*", ".*") or
process.name in ("node", "bun", "java") or
process.executable like ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/run/user/*", "/var/run/user/*", "/home/*/*") or
(
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "mksh") and
process.args in ("-c", "--command", "-ic", "-ci", "-cl", "-lc")
)
)
] by process.pid
[process where host.os.type == "linux" and event.type == "start" and
event.action == "executed" and
user.effective.id == "0" and user.id != "0" and
(
(process.name in ("sudo", "pkexec") and
not process.args like "-*" and
not process.args : ("/usr/*", "/bin/*", "/sbin/*", "/opt/*")) or
(process.name == "su" and
not process.args in ("--command", "-c", "--shell", "-s")) or
(process.name in ("passwd", "chsh", "newgrp") and
not process.args in ("--shell", "-s", "--help"))
)
] by process.parent.pid