Linux Sudo Chroot Execution

Original Source: [Sigma source]
Title: Linux Sudo Chroot Execution
Status: experimental
Description:Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution. Attackers may use this technique to evade detection and execute commands in a modified environment. This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463. While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts.
References:
  -https://github.com/kh4sh3i/CVE-2025-32463/blob/81bb430f84fa2089224733c3ed4bfa434c197ad4/exploit.sh
 Author: Swachchhanda Shrawn Poudel (Nextron Systems)
Date: 2025-10-02
modified:None
Tags:
  • -'attack.privilege-escalation'
  • -'attack.t1068'
Logsource:
  • category: process_creation
  • product: linux
Detection:
  selection:
    Image|endswith: '/sudo'
    CommandLine|contains:
      -' --chroot '
      -'sudo -R '

  condition:selection
Falsepositives:
  -Legitimate administrative tasks or scripts that use 'sudo --chroot' for containerization, testing, or system management.
Level: low

© 2024 DetectionCode Website. All Rights Reserved.