Pwnkit privilege escalation attempt

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1068-exploitation-for-privilege-escalation

What happened

{{ @process.comm }} was executed with the SHELL or PATH environment variables, indicating exploitation of the vulnerability CVE-2021-4034.

Goal

Detect exploitation of CVE-2021-4034 dubbed PwnKit.

Strategy

PwnKit is a local privilege escalation vulnerability originally found by Qualys. It affects PolicyKit’s pkexec program, which is a SUID-root program installed by default on many Linux distributions. This detection triggers whenever pkexec is executed by a non-root process with the SHELL and PATH variables set.

Triage and response

  1. Determine the purpose of the process executing pkexec.
  2. Look for any suspicious actions or commands being executed after the pkexec execution.
  3. If this behavior is unexpected, it could indicate a malicious actor has access to the host and is attempting to increase privileges for post exploitation actions. Investigate application logs or APM data to look for indications of the initial compromise. Follow your organization’s internal processes for investigating and remediating compromised systems.
  4. Ensure to update the PolicyKit package to its latest version to mitigate the vulnerability. If updating is not feasible, remove the SUID bit that is set by default on pkexec with the following command: sudo chmod -s \$(which pkexec).

Requires Agent version 7.27 or greater