-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcopyfail.exploit.json
More file actions
43 lines (43 loc) · 1.74 KB
/
copyfail.exploit.json
File metadata and controls
43 lines (43 loc) · 1.74 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
{
"active": true,
"author": "Sandfly Security",
"comment": "",
"description": "Look for root processes that don't have a plausible way to have been elevated.",
"format": "4.0",
"max_cpu_load": 1,
"max_disk_load": 1,
"max_timeout": 360,
"name": "process_root_escalation_suspicious",
"options": {
"engines": [
"sandfly_engine_process"
],
"explanation": "The process name '{process.name}' with PID '{process.pid}' is running with root privileges (UID 0), but its parent process is not running as root and there are no obvious mechanisms by which this process could have been elevated to root. This process may have been elevated to UID 0 by a malicious kernel module, an exploit such as the 2026 \"CopyFail\" vulnerability, or other non-standard means for gaining root access.",
"response": {
"process": {
"kill": false,
"suspend": false
}
},
"rule_op": "and",
"rules": [
"!containerized",
"process.parent_process.login_uid > 0 && process.parent_process.login_uid < 65535",
"process.parent_process.uid > 0",
"process.login_uid > 0 && process.login_uid < 65535",
"process.uid == 0",
"not( process.file.flags.suid_root || process.parent_process.file.flags.suid_root || 'CAP_SETUID' in process.capabilities.permitted || 'CAP_SETUID' in process.capabilities.effective || 'CAP_SETUID' in process.parent_process.capabilities.permitted || 'CAP_SETUID' in process.parent_process.capabilities.effective )"
]
},
"severity": 3,
"tags": [
"attack.id.T1068",
"attack.id.T1548.001",
"attack.tactic.privilege_escalation",
"process"
],
"type": "process",
"version": "2026-05-01T00:00:00Z",
"custom": true,
"date_added": "2026-05-01T21:57:05Z"
}