Elastic Security Detection Rules

Potential Sudo Privilege Escalation via CVE-2019-14287

Last updated a month ago on 2025-03-20
Created 2 years ago on 2023-08-30

About

This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate privileges to root. Sudo does not verify the presence of the designated user ID and proceeds to execute using a user ID that can be chosen arbitrarily. By using the sudo privileges, the command "sudo -u#-1" translates to an ID of 0, representing the root user. This exploit may work for sudo versions prior to v1.28.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Privilege EscalationData Source: Elastic DefendUse Case: VulnerabilityData Source: Elastic EndgameData Source: Auditd ManagerData Source: CrowdstrikeData Source: SentinelOneLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Privilege Escalation (TA0004)(opens in a new tab or window)

Exploitation for Privilege Escalation (T1068)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
auditbeat-*endgame-*logs-auditd_manager.auditd-*logs-crowdstrike.fdr*logs-endpoint.events.process*logs-sentinel_one_cloud_funnel.*
Related Integrations

endpoint(opens in a new tab or window)

auditd_manager(opens in a new tab or window)

crowdstrike(opens in a new tab or window)

sentinel_one_cloud_funnel(opens in a new tab or window)

Query
process where host.os.type == "linux" and event.type == "start" and
  event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
  process.name == "sudo" and process.args == "-u#-1"

Install detection rules in Elastic Security

Detect Potential Sudo Privilege Escalation via CVE-2019-14287 in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).