Linux Pedit COW Exploit Detection CVE 2026 46331
Query
// Search for the preparation phase (Namespace creation or tc pedit manipulation)
let PreparationPhase =
DeviceProcessEvents
| where Timestamp > ago(7d)
| where AccountName !in~ ("root", "system")
| where ProcessCommandLine has_any ("unshare", "tc action add", "pedit")
or (ProcessCommandLine has "tc" and ProcessCommandLine has "pedit")
| project PreparationTime = Timestamp, DeviceName, UserAccount = AccountName, PrepCommand = ProcessCommandLine, PreparationPID = ProcessId;
// Search for the privilege escalation phase (Anomalous child processes of su)
let EscalationPhase =
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFolderPath in~ ("/bin/su", "/usr/bin/su")
| where FolderPath in~ ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/zsh")
or ProcessCommandLine has_any ("whoami", "id", "chmod")
| project EscalationTime = Timestamp, DeviceName, ExecutedCommand = ProcessCommandLine, EscalationPID = ProcessId, SuInitiator = InitiatingProcessCommandLine, ReportId;
// Correlation: Both events must occur on the same device
// and the escalation must happen shortly after the preparation (max. 10 minutes)
PreparationPhase
| join kind=inner EscalationPhase on DeviceName
| where EscalationTime >= PreparationTime and EscalationTime <= PreparationTime + 10m
| project PreparationTime, EscalationTime, DeviceName, UserAccount, PrepCommand, SuInitiator, ExecutedCommandAbout this query
Explanation
This query is designed to detect a specific type of security threat on Linux systems, known as the "pedit COW exploit" (CVE-2026-46331). This exploit involves a two-step process that attackers use to gain unauthorized access or escalate their privileges on a system.
Here's a simplified breakdown of what the query does:
-
Preparation Phase Detection:
- The query first looks for signs that an attacker is preparing to exploit the system. This involves checking for certain commands that are typically used to manipulate system settings or create isolated environments (namespaces) for exploitation. Specifically, it searches for commands like
unshare,tc action add, andpedit. - It filters out actions performed by system-level accounts like "root" or "system" to focus on potentially suspicious user activity.
- The results include the time of the activity, the device name, the user account involved, the command executed, and the process ID.
- The query first looks for signs that an attacker is preparing to exploit the system. This involves checking for certain commands that are typically used to manipulate system settings or create isolated environments (namespaces) for exploitation. Specifically, it searches for commands like
-
Escalation Phase Detection:
- Next, the query looks for unusual processes that are spawned from the
sucommand, which is used to switch user accounts. It checks for child processes that involve shell commands or actions like checking user identity (whoami,id) or changing file permissions (chmod). - This phase captures the time of the activity, the device name, the command executed, the process ID, and the command that initiated the
suprocess.
- Next, the query looks for unusual processes that are spawned from the
-
Correlation:
- The query then correlates the two phases by ensuring that both occur on the same device and that the escalation phase happens within 10 minutes of the preparation phase.
- It outputs details of the correlated events, including the times of both phases, the device name, the user account, the preparation command, the command that initiated the
suprocess, and the executed command during escalation.
Overall, this query helps security teams identify and respond to potential privilege escalation attacks on Linux systems by detecting suspicious activity patterns associated with the pedit COW exploit.
