Potential Exploitation of CVE-2025-5054 or CVE-2025-4598
Detects attempts of an attacker to enable core dumps for set-user-ID (SUID) processes by modifying the system file /proc/sys/fs/suid_dumpable, typically by setting its value to 1 or 2. Enabling this feature allows memory dumps (core dumps) of SUID processes, which usually run with elevated privileges. These dumps may contain sensitive information such as passwords, cryptographic keys or other secrets. CVE-2025-5054: Information leak via core dumps from SUID binaries using apport. CVE-2025-4598: Information disclosure in systemd-coredump due to insecure handling of SUID process memory dumps.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_suid_dumpable_sysctl:
Image|endswith:
- '/sbin/sysctl'
- '/bin/sysctl'
CommandLine|contains: 'fs.suid_dumpable='
selection_echo_proc_write:
Image|endswith:
- '/bin/bash'
- '/bin/sh'
CommandLine|contains:
- 'echo 1 > /proc/sys/fs/suid_dumpable'
- 'echo 2 > /proc/sys/fs/suid_dumpable'
- 'echo 1 >/proc/sys/fs/suid_dumpable'
- 'echo 2 >/proc/sys/fs/suid_dumpable'
- 'echo 1> /proc/sys/fs/suid_dumpable'
- 'echo 2> /proc/sys/fs/suid_dumpable'
- 'echo 1>/proc/sys/fs/suid_dumpable'
- 'echo 2>/proc/sys/fs/suid_dumpable'
condition: 1 of selection_*System administrators enabling debugging temporarily
Legitimate crash diagnostic operations
Other