sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Author	SHA1	Message	Date
Samirbous	f0467c8bed	[New] Suspicious SUID Binary Execution (#6018 ) * [New] Suspicious SUDI Binary Execution Detects execution of common privilege elevation helpers (su, sudo, pkexec, passwd, chsh, newgrp) under the root effective user when the real user and parent user are not root, combined with minimal argument counts and suspicious parent context (interpreters, short shell -c invocations, or parents running from user-writable paths) : * Update rules/linux/privilege_escalation_suspicious_sudi_binary_execution.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules/linux/privilege_escalation_suspicious_sudi_binary_execution.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update privilege_escalation_suspicious_sudi_binary_execution.toml * Update privilege_escalation_suspicious_sudi_binary_execution.toml * Rename privilege_escalation_suspicious_sudi_binary_execution.toml to privilege_escalation_suspicious_suid_binary_execution.toml * Update privilege_escalation_suspicious_suid_binary_execution.toml * Update privilege_escalation_suspicious_suid_binary_execution.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2026-04-30 17:38:22 +01:00

Author

SHA1

Message

Date

Samirbous

f0467c8bed

[New] Suspicious SUID Binary Execution (#6018 )

* [New] Suspicious SUDI Binary Execution

Detects execution of common privilege elevation helpers (su, sudo, pkexec, passwd, chsh, newgrp) under the root effective user when the real user and parent user are not root, combined with minimal argument counts and suspicious parent context (interpreters, short shell -c invocations, or parents running from user-writable paths) :

* Update rules/linux/privilege_escalation_suspicious_sudi_binary_execution.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/linux/privilege_escalation_suspicious_sudi_binary_execution.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update privilege_escalation_suspicious_sudi_binary_execution.toml

* Update privilege_escalation_suspicious_sudi_binary_execution.toml

* Rename privilege_escalation_suspicious_sudi_binary_execution.toml to privilege_escalation_suspicious_suid_binary_execution.toml

* Update privilege_escalation_suspicious_suid_binary_execution.toml

* Update privilege_escalation_suspicious_suid_binary_execution.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

2026-04-30 17:38:22 +01:00

1 Commits