Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowexperimental

Linux Sudo Chroot Execution

Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution. Attackers may use this technique to evade detection and execute commands in a modified environment. This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463. While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Swachchhanda Shrawn Poudel (Nextron Systems)Created Thu Oct 02f2bed782-994e-4f40-9cd5-518198cb3fbalinux
Log Source
LinuxProcess Creation
ProductLinux← raw: linux
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith: '/sudo'
        CommandLine|contains:
            - ' --chroot '
            - 'sudo -R '
    condition: selection
False Positives

Legitimate administrative tasks or scripts that use 'sudo --chroot' for containerization, testing, or system management.

References
1
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
f2bed782-994e-4f40-9cd5-518198cb3fba
Status
experimental
Level
low
Type
Detection
Created
Thu Oct 02
Author
Swachchhanda Shrawn Poudel (Nextron Systems)
Path
rules/linux/process_creation/proc_creation_lnx_chroot_execution.yml
Raw Tags
attack.privilege-escalationattack.t1068
View on GitHub