kqlElastic-2.0from elastic/detection-rules
Unusual Pkexec Execution
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/linux/execution_unusual_pkexec_execution.toml
event.category:process and host.os.type:linux and event.type:start and
event.action:(exec or exec_event or start or ProcessRollup2) and process.name:pkexec and
process.args:pkexec and process.parent.name:(bash or dash or sh or tcsh or csh or zsh or ksh or fish) and
not (
process.args:(
"/usr/libexec/gvfsd-admin" or "udevadm" or "/opt/forticlient/stop-forticlient.sh" or "/usr/bin/gparted" or
"dpkg" or "/usr/sbin/gparted" or "input-remapper-control" or "/usr/lib/ubuntu-release-upgrader/do-partial-upgrade"
) or
process.parent.command_line:*/home/*/.claude/shell-snapshots/* or
process.parent.args:"/usr/bin/timeshift-launcher"
)