Emerging Threathightest

PwnKit Local Privilege Escalation

Detects potential PwnKit exploitation CVE-2021-4034 in auth logs

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

SreemanCreated Wed Jan 26Updated Wed Sep 110506a799-698b-43b4-85a1-ac4c84c720e92021

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Linuxauth

ProductLinux← raw: linux

Serviceauth← raw: auth

Detection Logic

detection:
    keywords:
        '|all':
            - 'pkexec'
            - 'The value for environment variable XAUTHORITY contains suspicious content'
            - '[USER=root] [TTY=/dev/pts/0]'
    condition: keywords

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

twitter.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0004 · Privilege Escalation

Sub-techniques

T1548.001 · Setuid and Setgid

Other

detection.emerging-threatscve.2021-4034

Rule Metadata

Rule ID

0506a799-698b-43b4-85a1-ac4c84c720e9

Status

test

Level

high

Type

Emerging Threat

Created

Wed Jan 26

Modified

Wed Sep 11

Author

Sreeman

Path

rules-emerging-threats/2021/Exploits/CVE-2021-4034/lnx_auth_exploit_cve_2021_4034_pwnkit_lpe.yml

Raw Tags

attack.defense-evasionattack.privilege-escalationattack.t1548.001detection.emerging-threatscve.2021-4034

View on GitHub