Articles

Detect Privilege Escalation Attempts with Falco (2026)

April 16, 2026 5 min read

Falco, the cloud-native runtime security tool, can detect privilege escalation attempts by monitoring system calls and correlating them with suspicious activity patterns.

Here’s Falco in action, detecting a common privilege escalation vector: a user trying to exploit a misconfigured SUID binary.

# Simulate a user trying to exploit a misconfigured SUID binary (e.g., /usr/bin/find)
# In a real scenario, this would be a malicious actor.
# Let's assume 'baduser' is a non-privileged user.
sudo -u baduser /usr/bin/find . -exec /bin/sh \; -quit

Falco, with the right rules, would generate an alert like this:

{
  "output": "Privilege escalation attempt: SUID binary execution by a non-privileged user (user=baduser, cmd=/usr/bin/find, target_cmd=/bin/sh)",
  "priority": "critical",
  "rule": "SUID Binary Privilege Escalation",
  "time": "2023-10-27T10:30:00Z",
  "source": "syscall",
  "fd.name": "/usr/bin/find",
  "proc.name": "find",
  "user.name": "baduser",
  "container.id": "abcdef123456",
  "container.name": "my-vulnerable-app",
  "k8s.pod.name": "vulnerable-app-pod-xyz",
  "k8s.namespace": "default"
}

This alert signifies that a non-privileged user (baduser) executed a SUID binary (/usr/bin/find) in a way that attempted to spawn a shell (/bin/sh), a classic privilege escalation technique.

The SUID Bit and Why It’s Dangerous

The SUID (Set User ID) bit on an executable file allows it to run with the permissions of the file’s owner, not the user executing it. If a SUID binary is owned by root and has a vulnerability that allows it to execute arbitrary commands (like find with -exec), a low-privileged user can leverage it to gain root access.

Falco Rules for SUID Exploitation

Falco’s power lies in its rule engine. Here’s a simplified rule that would catch the above scenario:

- rule: SUID Binary Privilege Escalation
  desc: "Detects attempts to exploit SUID binaries for privilege escalation by looking for suspicious child processes spawned from SUID binaries."
  condition: >
    (openat.flags contains O_EXEC) and
    (proc.is_suid) and
    (proc.name in ("find", "bash", "sh", "perl", "python", "awk", "ed", "cp", "mv", "rm")) and
    (user.name != proc.owner_user) and
    (container.runtime != "docker-shim") # Exclude known safe cases if applicable
  output: >
    Privilege escalation attempt: SUID binary execution by a non-privileged user
    (user=%user.name, cmd=%proc.name, target_cmd=%proc.cmdline)
  priority: critical
  tags:
    - privilege-escalation
    - container
    - host

Explanation:

  • openat.flags contains O_EXEC: This checks if a file is being opened for execution.
  • proc.is_suid: This is the critical part – it checks if the process being executed has the SUID bit set.
  • proc.name in (...): We’re looking for common binaries that are often misconfigured with SUID and can be exploited to spawn shells or other privileged processes. This list can be expanded.
  • user.name != proc.owner_user: This ensures that the user running the process is not the owner of the SUID binary (which would typically be root), indicating a potential unauthorized use.
  • container.runtime != "docker-shim": A common exclusion to avoid noisy alerts in certain container environments.

Beyond SUID: Other Privilege Escalation Vectors Falco Detects

Falco’s flexibility allows it to detect a wide range of privilege escalation techniques:

  1. Abusing sudo Configuration:

    • The Problem: A user can run specific commands as root via sudo. If a command allows arbitrary command execution (e.g., sudo vim, sudo less with :!command), it can be used for escalation.
    • Falco Rule Snippet:
      condition: >
  (evt.type = "execve" and proc.name = "sudo" and proc.cmdline contains "-i") or
  (evt.type = "execve" and proc.name = "sudo" and proc.cmdline contains "-s") or
  (evt.type = "execve" and proc.name = "sudo" and proc.cmdline contains "vim") and
  (user.name != "root")
    • Why it works: It flags sudo commands executed by non-root users that attempt to get an interactive shell (-i, -s) or execute a command known for arbitrary code execution (vim).

  2. Kernel Exploits (Less Common, but Detectable):

    • The Problem: Vulnerabilities in the Linux kernel itself can be exploited to gain root privileges. These often involve specific system calls or unusual process behavior.
    • Falco Rule Snippet:
      condition: >
  (evt.type = "ioctl" and proc.name = "exploit_binary") and
  (fd.name contains "/dev/kmem" or fd.name contains "/dev/mem")
    • Why it works: While specific kernel exploits vary, many interact with sensitive kernel devices (/dev/kmem, /dev/mem) or use unusual ioctl calls. Falco can flag these actions when performed by non-privileged processes. Note: This is highly generalized; specific rules are needed for known kernel exploits.

  3. Path Hijacking / Shared Library Injection:

    • The Problem: If a privileged process searches for executables or libraries in a user-writable directory, an attacker can place a malicious script or library there to be executed with higher privileges.
    • Falco Rule Snippet:
      condition: >
  (openat.flags contains O_EXEC) and
  (proc.name in ("some_privileged_app")) and
  (fd.directory in ("/tmp", "/var/tmp", "/dev/shm", "/home/writable_user"))
    • Why it works: It detects a known privileged application (some_privileged_app) executing a file from a directory that should not be in its PATH or that is user-writable.

  4. Exploiting Insecure File Permissions:

    • The Problem: Sensitive configuration files or scripts owned by root might be world-writable or group-writable by a less privileged group. An attacker could modify these to execute code with root privileges.
    • Falco Rule Snippet:
      condition: >
  (evt.type = "openat" and fd.name contains "/etc/important.conf") and
  (fd.flags contains O_WRONLY or fd.flags contains O_RDWR) and
  (user.name != "root") and
  (file.mode contains "w") # Checks if file is writable
    • Why it works: It flags any non-root user attempting to write to a critical configuration file.

  5. Cron Job Manipulation:

    • The Problem: If cron job directories or files are writable by non-root users, an attacker can inject malicious commands into scheduled tasks that run as root.
    • Falco Rule Snippet:
      condition: >
  (evt.type = "openat" and fd.directory in ("/etc/cron.d", "/etc/cron.hourly", "/etc/cron.daily", "/etc/cron.weekly", "/etc/cron.monthly", "/etc/crontab")) and
  (fd.flags contains O_WRONLY or fd.flags contains O_RDWR) and
  (user.name != "root")
    • Why it works: This rule specifically targets write operations to well-known cron directories and files by users other than root.

When you’re building your Falco ruleset, think about the common ways users gain elevated privileges on Linux systems. Many of these involve exploiting misconfigurations, insecure permissions, or known application vulnerabilities. Falco’s ability to inspect system calls and process execution provides the visibility needed to detect these activities in real-time.

The next step after detecting privilege escalation is often dealing with the fallout of a compromised system, which might involve detecting lateral movement or data exfiltration attempts.

Want structured learning?

Take the full Falco course →