Suspicious SUID Binary Execution (Auditd Sequence)

Last updated 4 days ago on 2026-05-08

Created 4 days ago on 2026-05-08

About

Detects suspicious sequences where a non-root user launches a high-risk parent process (interpreter, shell one-liner, or execution from user-writable paths) and then quickly executes a common privilege elevation helper (su, sudo, pkexec, passwd, chsh, newgrp) that gains an effective UID of 0 while the real UID remains non-root. This can indicate misuse of SUID/SGID helpers, polkit/sudo abuse, or interactive privilege escalation attempts captured via Auditd Manager telemetry.

Tags

Data Source: Auditd ManagerDomain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Privilege EscalationLanguage: eql

Severity

medium

Risk Score

MITRE ATT&CK™

Privilege Escalation (TA0004)(external, opens in a new tab or window)

↳ Abuse Elevation Control Mechanism (T1548)(external, opens in a new tab or window)

False Positive Examples

Some break-glass workflows or automation may legitimately invoke sudo/su from scripts under user home directories. Validate the initiating user, parent context, and change approvals; tune by known admin tooling paths or accounts.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: auditbeat-*logs-auditd_manager.auditd-*
Related Integrations: auditd_manager(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗sequence by host.id with maxspan=30s
  [process where host.os.type == "linux" and event.type == "start" and
   event.action == "executed" and
   user.id != "0" and user.effective.id != "0" and
   (
     process.name like ("python*", "perl*", "ruby*", "php*", "lua*", ".*") or
     process.name in ("node", "bun", "java") or
     process.executable like ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/run/user/*", "/var/run/user/*", "/home/*/*") or
     (
       process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "mksh") and
       process.args in ("-c", "--command", "-ic", "-ci", "-cl", "-lc")
     )
   )
  ] by process.pid

  [process where host.os.type == "linux" and event.type == "start" and
   event.action == "executed" and
   user.effective.id == "0" and user.id != "0" and
   (
     (process.name in ("sudo", "pkexec") and
      not process.args like "-*" and
      not process.args : ("/usr/*", "/bin/*", "/sbin/*", "/opt/*")) or
     (process.name == "su" and
      not process.args in ("--command", "-c", "--shell", "-s")) or
     (process.name in ("passwd", "chsh", "newgrp") and
      not process.args in ("--shell", "-s", "--help"))
   )
  ] by process.parent.pid

Install detection rules in Elastic Security

Detect Suspicious SUID Binary Execution (Auditd Sequence) in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).