Elastic Security Detection Rules

Potential Root Effective Shell from Non-Standard Path via Auditd

Last updated 2 months ago on 2026-04-24
Created 2 months ago on 2026-04-24

About

Identifies process execution events where the effective user is root while the real user is not, the process arguments include the privileged shell flag commonly associated with setuid-capable shells, and the executable path is outside standard system binary directories. That combination is consistent with abuse of setuid shells or similar helpers copied or linked into writable locations, a pattern used to regain a root context after local exploitation.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Privilege EscalationData Source: Auditd ManagerLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Privilege Escalation (TA0004)(external, opens in a new tab or window)

Abuse Elevation Control Mechanism (T1548)(external, opens in a new tab or window)

False Positive Examples
Custom administrative wrappers or hardened images that legitimately ship a setuid shell outside /usr/bin or /bin for emergency access may match; document and exclude by executable hash or path when verified. Field mapping differences between auditd versions can occasionally mis-populate effective versus real user IDs; validate raw audit fields when triaging unexpected hits.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
auditbeat-*logs-auditd_manager.auditd-*
Related Integrations

auditd_manager(external, opens in a new tab or window)

Query
text code block:
host.os.type:linux and event.category:process and 
event.action:(exec or executed) and user.id:(* and not 0) and 
process.executable:(* and not (/bin/* or /nix/store/*/bin/sudo or /run/wrappers/wrappers*/sudo or /sbin/* or /usr/bin/* or /usr/sbin/*)) and 
user.effective.id:0 and process.args:-p

Install detection rules in Elastic Security

Detect Potential Root Effective Shell from Non-Standard Path via Auditd in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).