AN1420: Analytic 1420
Detects escalation via vulnerable setuid binaries or kernel modules, often chained with unusual access to /proc/kallsyms or /dev/kmem.
Analyst context for executives and security teams
This analytic is relevant to Linux privilege-escalation risk: it looks for signs that a user or process may be abusing vulnerable setuid binaries or kernel-level components, especially when paired with unusual access to sensitive kernel interfaces such as /proc/kallsyms or /dev/kmem. For leaders, the decision value is whether critical Linux systems have enough host telemetry and hardening to identify escalation attempts before they become full administrative compromise.
Executive priority
Prioritize this where Linux systems support business-critical services, regulated workloads, or operational resilience. The key management question is not just whether the analytic exists, but whether teams can prove they inventory setuid exposure, monitor sensitive kernel access, and investigate privilege changes quickly. This supports incident readiness, control validation, and audit evidence around least privilege and host hardening.
Technical view
Validate Linux host monitoring for suspicious privilege-escalation indicators involving setuid binaries, kernel modules, and access to /proc/kallsyms or /dev/kmem. Because the ATT&CK object provides no detailed detection logic and no relationship context, SOC and detection engineering teams should treat this as a coverage objective: confirm process execution visibility, file access auditing for sensitive kernel paths, privilege transition evidence, and kernel/module activity where available. Tune around legitimate administrative or diagnostic tools to avoid noisy alerts.
Likely telemetry
- Linux process execution events, including user, parent process, command line, and effective privilege context
- File access or audit events for /proc/kallsyms and /dev/kmem
- Inventory or change data for setuid binaries and permissions
- Kernel module load or modification telemetry where collected
- Authentication and session context tying activity to users, services, or automation
Detection direction
- Confirm whether Linux endpoints actually collect the evidence needed to see setuid execution, privilege transitions, kernel module activity, and access to /proc/kallsyms or /dev/kmem.
- Baseline legitimate administrative, troubleshooting, and monitoring activity that may read kernel-related interfaces to reduce false positives.
- Correlate unusual sensitive file access with suspicious process ancestry, unexpected users, recent binary permission changes, or privilege escalation context.
- Pay attention to blind spots on minimally monitored servers, containers or appliances with limited host logging, and environments where audit policies omit sensitive file access.
- Use this analytic as a validation target rather than a complete rule, because the official ATT&CK detection field is not provided.
Mitigation priorities
- Inventory Linux systems and identify business-critical hosts where privilege escalation monitoring is required.
- Review and reduce unnecessary setuid binaries and validate permissions against least-privilege expectations.
- Restrict and monitor access to sensitive kernel interfaces such as /proc/kallsyms and /dev/kmem according to operational need.
- Maintain patching and configuration hygiene for Linux kernels, kernel modules, and privileged binaries.
- Ensure incident response playbooks include triage steps for suspected local privilege escalation on Linux hosts, including user context, process lineage, binary permissions, and kernel/module evidence.
Analyst notes and limits
This object is a detection analytic, not a technique entry. It names Linux as the supported platform and describes detection intent around vulnerable setuid binaries, kernel modules, and unusual access to /proc/kallsyms or /dev/kmem. No tactics, relationships, aliases, or detailed official detection logic were supplied, so local engineering is required to convert the concept into deployable rules and validation tests.
The supplied ATT&CK fields do not include detailed detection logic, data source mappings, related techniques, threat actors, campaigns, or mitigations. This take therefore avoids claims about active exploitation, attribution, impact, or guaranteed detection coverage. Applicability depends on each environment’s Linux telemetry, audit configuration, hardening standards, and administrative baseline.
Analytic 1420
Detects escalation via vulnerable setuid binaries or kernel modules, often chained with unusual access to /proc/kallsyms or /dev/kmem.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4c16943bb0a7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1420Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.