Elastic Security Detection Rules

Potential Sudo Privilege Escalation via CVE-2019-14287

Last updated 9 months ago on 2025-03-20
Created 2 years ago on 2023-08-30

About

This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate privileges to root. Sudo does not verify the presence of the designated user ID and proceeds to execute using a user ID that can be chosen arbitrarily. By using the sudo privileges, the command "sudo -u#-1" translates to an ID of 0, representing the root user. This exploit may work for sudo versions prior to v1.28.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Privilege EscalationData Source: Elastic DefendUse Case: VulnerabilityData Source: Elastic EndgameData Source: Auditd ManagerData Source: CrowdstrikeData Source: SentinelOneLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Privilege Escalation (TA0004)(external, opens in a new tab or window)

Exploitation for Privilege Escalation (T1068)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
auditbeat-*endgame-*logs-auditd_manager.auditd-*logs-crowdstrike.fdr*logs-endpoint.events.process*logs-sentinel_one_cloud_funnel.*
Related Integrations

endpoint(external, opens in a new tab or window)

auditd_manager(external, opens in a new tab or window)

crowdstrike(external, opens in a new tab or window)

sentinel_one_cloud_funnel(external, opens in a new tab or window)

Query
text code block:
process where host.os.type == "linux" and event.type == "start" and
  event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
  process.name == "sudo" and process.args == "-u#-1"

Install detection rules in Elastic Security

Detect Potential Sudo Privilege Escalation via CVE-2019-14287 in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).