Attackers may use sudo with —chroot to execute commands in a restricted environment, potentially evading standard detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential evasion tactics and unauthorized command execution.
Detection Rule
title: Linux Sudo Chroot Execution
id: f2bed782-994e-4f40-9cd5-518198cb3fba
status: experimental
description: |
Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution.
Attackers may use this technique to evade detection and execute commands in a modified environment.
This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463.
While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts.
references:
- https://github.com/kh4sh3i/CVE-2025-32463/blob/81bb430f84fa2089224733c3ed4bfa434c197ad4/exploit.sh
author: Swachchhanda Shrawn Poudel (Nextron Systems)
date: 2025-10-02
tags:
- attack.privilege-escalation
- attack.t1068
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/sudo'
CommandLine|contains:
- ' --chroot '
- 'sudo -R '
condition: selection
falsepositives:
- Legitimate administrative tasks or scripts that use 'sudo --chroot' for containerization, testing, or system management.
level: low
imProcessCreate
| where TargetProcessName endswith "/sudo" and (TargetProcessCommandLine contains " --chroot " or TargetProcessCommandLine contains "sudo -R ")Scenario: Scheduled System Maintenance Task Using chroot
Description: A legitimate system maintenance script uses sudo with --chroot to perform file system checks or repairs in a restricted environment.
Filter/Exclusion: Exclude processes where the command includes /bin/ or /sbin/ and the user is a system admin (e.g., root or sysadmin). Example: sudo -i --chroot /var/backup
Filter Example: process.name = "sudo" and process.args contains "--chroot" and process.user in ("root", "sysadmin")
Scenario: Containerized Application Deployment with chroot
Description: A DevOps team uses sudo with --chroot to deploy a containerized application in a chrooted environment for isolation.
Filter/Exclusion: Exclude commands that reference known container directories (e.g., /var/lib/docker, /home/user/container_env).
Filter Example: process.name = "sudo" and process.args contains "--chroot" and process.args contains "/var/lib/docker"
Scenario: User-Specific Chroot Environment for Application Execution
Description: An admin configures a user-specific chroot environment for a custom application using sudo --chroot.
Filter/Exclusion: Exclude commands where the chroot path is a user-specific directory (e.g., /home/user/app_env).
Filter Example: process.name = "sudo" and process.args contains "--chroot" and process.args contains "/home"
Scenario: Security Tool or Audit Tool Using Chroot
Description: A security tool like auditd or ossec uses sudo --chroot to run in a restricted environment for monitoring.
Filter/Exclusion: Exclude commands that include