Potential CVE-2025-32463 Sudo Chroot Execution Attempt

About

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Privilege EscalationData Source: Elastic DefendData Source: SentinelOneData Source: CrowdstrikeData Source: Elastic EndgameData Source: Auditd ManagerUse Case: VulnerabilityLanguage: eql

Severity

high

Risk Score

73

MITRE ATT&CK™

Privilege Escalation (TA0004)(opens in a new tab or window)

↳ Exploitation for Privilege Escalation (T1068)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-endpoint.events.process*logs-sentinel_one_cloud_funnel.*endgame-*auditbeat-*logs-auditd_manager.auditd-*logs-crowdstrike.fdr*

Related Integrations

endpoint(opens in a new tab or window)

auditd_manager(opens in a new tab or window)

sentinel_one_cloud_funnel(opens in a new tab or window)

crowdstrike(opens in a new tab or window)

Query

process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "executed", "process_started", "ProcessRollup2") and
process.name == "sudo" and process.args like ("-R", "--chroot*") and
// To enforce the -R and --chroot arguments to be for sudo specifically, while wildcarding potential full sudo paths
process.command_line like ("*sudo -R*", "*sudo --chroot*")