← Back to Explore
elastichighTTP
Suspicious SUID Binary Execution
Detects execution of SUID binaries that may be used for privilege escalation under the root effective user when the real user and parent user are not root, combined with minimal argument counts and suspicious parent context (interpreters, short shell -c invocations, or parents running from user-writable paths) to indicate potential misuse of SUID binaries for privilege escalation.
Detection Query
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
(process.user.id == "0" and process.real_user.id != "0" and process.parent.user.id != "0") or
(process.group.id == "0" and process.real_group.id != "0" and process.parent.group.id != "0")
) and
(
(process.name in ("su", "passwd", "unix_chkpwd") and process.args_count <= 2) or
(
process.name in ("sudo", "pkexec", "fusermount", "fusermount3", "mount", "umount", "newgrp", "chsh") and
process.args_count == 1
) or
process.name in (
"sudoedit", "gpasswd", "chfn", "polkit-agent-helper-1", "dbus-daemon-launch-helper", "ssh-keysign",
"pam_extrausers_chkpwd", "expiry", "chage", "crontab", "wall", "bsd-write", "ssh-agent", "ping",
"ping6", "traceroute", "mtr", "ntfs-3g", "Xorg.wrap", "chrome-sandbox", "bwrap"
)
) and
(
process.parent.name like (".*", "python*", "perl*", "ruby*", "lua*", "php*", "node", "deno", "bun", "java") or
process.parent.executable like ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/run/user/*", "/var/run/user/*", "/home/*/*") or
(
process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "mksh") and
process.parent.args in ("-c", "-cl", "-lc", "--command", "-ic", "-ci", "-bash", "-sh", "-zsh", "-dash", "-fish", "-ksh", "-mksh") and
process.parent.args_count <= 4
)
)
Author
Elastic
Created
2026/04/30
Data Sources
Elastic Defendlogs-endpoint.events.process*
Tags
Data Source: Elastic DefendDomain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Privilege EscalationResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2026/04/30"
integration = ["endpoint"]
maturity = "production"
updated_date = "2026/05/18"
[rule]
author = ["Elastic"]
description = """
Detects execution of SUID binaries that may be used for privilege escalation under the root effective user
when the real user and parent user are not root, combined with minimal argument counts and suspicious parent
context (interpreters, short shell -c invocations, or parents running from user-writable paths) to indicate
potential misuse of SUID binaries for privilege escalation.
"""
false_positives = [
"""
Some automation or break-glass tooling may invoke SUID binaries from scripts under /home; validate parent identity and
change tickets before escalating.
""",
]
from = "now-6m"
index = ["logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious SUID Binary Execution"
note = """## Triage and analysis
### Investigating Suspicious SUID Binary Execution
Confirm whether the non-root real user should be invoking SUID binaries as root. Review the parent process tree, script path, and any preceding download or decode activity.
### Possible investigation steps
- Inspect `process.parent.command_line` and working directory for obfuscation or one-liners.
- Check authentication and sudoers policy for the user.
- Pivot on the host for additional privilege escalation or persistence in the same session.
### Response and remediation
- If unauthorized, contain the session, revoke elevated access, and review sudoers and polkit policy for tampering.
"""
references = [
"https://attack.mitre.org/techniques/T1548/",
]
risk_score = 73
rule_id = "e7856173-6489-449f-80ec-c1f5fcd7b87c"
severity = "high"
tags = [
"Data Source: Elastic Defend",
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Privilege Escalation",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
(process.user.id == "0" and process.real_user.id != "0" and process.parent.user.id != "0") or
(process.group.id == "0" and process.real_group.id != "0" and process.parent.group.id != "0")
) and
(
(process.name in ("su", "passwd", "unix_chkpwd") and process.args_count <= 2) or
(
process.name in ("sudo", "pkexec", "fusermount", "fusermount3", "mount", "umount", "newgrp", "chsh") and
process.args_count == 1
) or
process.name in (
"sudoedit", "gpasswd", "chfn", "polkit-agent-helper-1", "dbus-daemon-launch-helper", "ssh-keysign",
"pam_extrausers_chkpwd", "expiry", "chage", "crontab", "wall", "bsd-write", "ssh-agent", "ping",
"ping6", "traceroute", "mtr", "ntfs-3g", "Xorg.wrap", "chrome-sandbox", "bwrap"
)
) and
(
process.parent.name like (".*", "python*", "perl*", "ruby*", "lua*", "php*", "node", "deno", "bun", "java") or
process.parent.executable like ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/run/user/*", "/var/run/user/*", "/home/*/*") or
(
process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "mksh") and
process.parent.args in ("-c", "-cl", "-lc", "--command", "-ic", "-ci", "-bash", "-sh", "-zsh", "-dash", "-fish", "-ksh", "-mksh") and
process.parent.args_count <= 4
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.001"
name = "Setuid and Setgid"
reference = "https://attack.mitre.org/techniques/T1548/001/"
[[rule.threat.technique.subtechnique]]
id = "T1548.003"
name = "Sudo and Sudo Caching"
reference = "https://attack.mitre.org/techniques/T1548/003/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"