security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Privilege Escalation via SUID/SGID (#6017)

Browse Source 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
2026-05-01 10:08:46 +02:00
committed by GitHub
parent eb32e7a242
commit 8dc3fef270
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml
+3 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2024/06/17"
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/03/24"
updated_date = "2026/04/30"
[rule]
author = ["Elastic"]
@@ -126,7 +126,8 @@ process where host.os.type == "linux" and event.type == "start" and event.action
) or
(process.name == "ip" and ((process.args == "-force" and process.args in ("-batch", "-b")) or (process.args == "exec"))) or
(process.name == "find" and process.args in ("-exec", "-execdir")) or
(process.name in ("bash", "csh", "dash") and process.args in ("-p", "-b"))
(process.name in ("bash", "csh", "dash") and process.args in ("-p", "-b")) or
(process.name in ("su", "sudo", "pkexec") and process.args_count == 1)
) and not (
process.parent.name == "spine" or
process.parent.executable in (