Elastic Security Detection Rules

Potential Privilege Escalation via unshare Followed by Root Process

Last updated 4 days ago on 2026-05-08
Created 4 days ago on 2026-05-08

About

Detects a short sequence where a non-root user performs unshare-related namespace activity (often associated with user namespace privilege escalation primitives) and then a root process is executed shortly after. This can indicate a successful local privilege escalation attempt or suspicious namespace manipulation captured in Auditd Manager telemetry.
Tags
Data Source: Auditd ManagerDomain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Privilege EscalationLanguage: eql
Severity
high
Risk Score
73
MITRE ATT&CK™

Privilege Escalation (TA0004)(external, opens in a new tab or window)

Exploitation for Privilege Escalation (T1068)(external, opens in a new tab or window)

False Positive Examples
Legitimate sandboxing, container tooling, or maintenance scripts may use unshare and spawn privileged helpers under controlled workflows. Baseline approved tools and tune by host role, parent process, or user accounts.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
auditbeat-*logs-auditd_manager.auditd-*
Related Integrations

auditd_manager(external, opens in a new tab or window)

Query
text code block:
sequence by host.id, process.parent.pid with maxspan=30s
 [process where host.os.type == "linux" and 
  (
   (auditd.data.syscall == "unshare" and auditd.data.class == "namespace" and auditd.data.a0 in ("10000000", "50000000", "70000000", "10020000", "50020000", "70020000")) or 

   (process.name == "unshare" and  
    (process.args in ("--user", "--map-root-user", "--map-current-user") or process.args like ("-*U*", "-*r*")))
   ) and user.id != "0" and user.id != null]
 [process where host.os.type == "linux" and 
  user.id == "0" and user.id != null and 
  (
   process.name in ("su", "sudo", "pkexec", "passwd", "chsh", "newgrp", "doas", "run0", "sg", "dash", "sh", "bash", "zsh", "fish", 
                    "ksh", "csh", "tcsh", "ash", "mksh", "busybox", "rbash", "rzsh", "rksh", "tmux", "screen", "node") or 
   process.name like ("python*", "perl*", "ruby*", "php*", "lua*")
  )]

Install detection rules in Elastic Security

Detect Potential Privilege Escalation via unshare Followed by Root Process in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).