| ID | Technique | Tactic |
|---|---|---|
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
Detection: Linux Binary Launched Process with Null Argv
Description
The following analytic detects kernel-level events where a setuid binary launches a shell or interpreter with a NULL argument vector, which occurs when a privilege escalation exploit gains root and executes a process via execve() without constructing a legitimate argument array.
Search
1sourcetype="linux_messages_syslog" "NULL argv" "empty string added"
2
3| rex field=_raw "process '(?<launching_process>[^']+)' launched '(?<launched_process>[^']+)' with NULL argv"
4
5| where isnotnull(launching_process) AND isnotnull(launched_process)
6
7| stats
8 count AS occurrences,
9 min(_time) AS firstTime,
10 max(_time) AS lastTime,
11 values(_raw) AS message,
12 values(host) AS dest
13 by host, launching_process, launched_process
14
15| `security_content_ctime(firstTime)`
16
17| `security_content_ctime(lastTime)`
18
19| table dest, launching_process, launched_process,
20 firstTime, lastTime, occurrences, message
21
22| `linux_binary_launched_process_with_null_argv_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Linux Messages Syslog |  Linux |
'linux_messages_syslog' |
'/var/log/kern' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| linux_binary_launched_process_with_null_argv_filter | search * |
linux_binary_launched_process_with_null_argv_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
DE.CM
CIS 10
CVE
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Intermediate Finding (Risk Event) | No |
TTP detections generate a Finding (Notable) and may generate Intermediate Findings (Risk Events) for associated entities.
Implementation
To successfully implement this search, you need to have relevant kernel logs ingested with the Splunk Add-On for Unix and Linux (https://splunkbase.splunk.com/app/833).
Known False Positives
Legitimate false positives are rare but can occur when custom or poorly written setuid binaries, PAM modules, or login frameworks invoke shells programmatically without constructing a proper argv array. However, mainstream setuid binaries like su, sudo, and pkexec on modern Linux distributions always pass arguments, so any hit involving those specific processes should be treated as high confidence.
Associated Analytic Story
Finding
| Title | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| Binary spawned process with NULL argv on $dest$ indicating possible privilege escalation. | dest | system | 50 |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | /var/log/kern |
linux_messages_syslog |
| Integration | ✅ Passing | Dataset | /var/log/kern |
linux_messages_syslog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1