GitHub Repo

Detection: Linux Malformed Auth Entry

Updated Date: 2026-05-06 ID: 962602e9-08ae-47ff-af89-a1e83f461a26 Author: Raven Tait, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic detects when su runs from a page-cache-corrupted binary. When this happens a partial corruption of its runtime state can prevent it from resolving the identity of the calling user. Under normal conditions, su logs both the target account and the invoking user. When exploitation has occurred via this path, the invoking username field is absent. This activity is significant because it indicates a possible privilege escalation attempt, allowing a user to gain root access. If confirmed malicious, an attacker could achieve full control over the system, execute arbitrary commands, and compromise the entire environment.

 1sourcetype=linux_secure process=su
 2
 3| rex "su:\s+\(to\s+(?<target_user>\S+)\)(?<source_user>\s{2,})on\s+(?<terminal>\S+)"
 4
 5| where len(ltrim(source_user)) == 0
 6
 7| stats
 8    count                        as total_attempts,
 9    min(_time)                   as firstTime,
10    max(_time)                   as lastTime,
11    values(target_user)          as target_users,
12    values(host)                 as dest
13    by process
14
15
16| `security_content_ctime(firstTime)`
17
18| `security_content_ctime(lastTime)`
19
20| `linux_malformed_auth_entry_filter`

Data Source

Name Platform Sourcetype Source
Linux Secure Linux icon Linux 'linux_secure' '/var/log/secure'

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
linux_malformed_auth_entry_filter search *
linux_malformed_auth_entry_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1068 Exploitation for Privilege Escalation Privilege Escalation
Exploitation
DE.AE
CIS 10

CVE

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Finding (Notable) No
Creates Intermediate Finding (Risk Event) Yes
Anomaly detections generate Intermediate Findings (Risk Events). They do not generate a Finding (Notable) directly.

Implementation

To successfully implement this search, you need to have relevant authentication logs ingested with the Splunk Add-On for Unix and Linux (https://splunkbase.splunk.com/app/833).

Known False Positives

No false positives have been identified at this time.

Associated Analytic Story

Intermediate Findings

Message Entity Field Entity Type Risk Score
Malformed authentication entry on $dest$ indicating possible privilege escalation. dest system 20

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset /var/log/secure linux_secure
Integration ✅ Passing Dataset /var/log/secure linux_secure

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1