KQL Search

Query Details

Linux Pedit COW Exploit Detection CVE 2026 46331

Query

# *Linux pedit COW Exploit Detection (CVE-2026-46331)*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1068 | Exploitation for Privilege Escalation | https://attack.mitre.org/techniques/T1068 |
| T1548.001 | Abuse Elevation Control Mechanism: Setuid and Setgid | https://attack.mitre.org/techniques/T1548/001/ |


#### Description

This rule detects potential privilege escalation activity on Linux systems that leverages a 'pedit' based exploit (often involving kernel memory corruption or copy-on-write manipulation via traffic control tools). It identifies a two-stage attack chain: first, the preparation phase involving the execution of 'tc' commands or 'unshare' (often used to create namespaces for exploitation), followed by an escalation phase where anomalous child processes (shells, or commands like 'whoami', 'id', 'chmod') are spawned from a 'su' binary within 10 minutes of the preparation.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**

#### References
- https://thehackernews.com/2026/06/new-linux-pedit-cow-exploit-enables.html


## Defender XDR
```KQL
// Search for the preparation phase (Namespace creation or tc pedit manipulation)
let PreparationPhase = 
	DeviceProcessEvents
	| where Timestamp > ago(7d)
	| where AccountName !in~ ("root", "system")
	| where ProcessCommandLine has_any ("unshare", "tc action add", "pedit") 
	   or (ProcessCommandLine has "tc" and ProcessCommandLine has "pedit")
	| project PreparationTime = Timestamp, DeviceName, UserAccount = AccountName, PrepCommand = ProcessCommandLine, PreparationPID = ProcessId;
// Search for the privilege escalation phase (Anomalous child processes of su)
let EscalationPhase = 
	DeviceProcessEvents
	| where Timestamp > ago(7d)
	| where InitiatingProcessFolderPath in~ ("/bin/su", "/usr/bin/su")
	| where FolderPath in~ ("/bin/sh", "/bin/bash", "/bin/dash", "/bin/zsh") 
	   or ProcessCommandLine has_any ("whoami", "id", "chmod")
	| project EscalationTime = Timestamp, DeviceName, ExecutedCommand = ProcessCommandLine, EscalationPID = ProcessId, SuInitiator = InitiatingProcessCommandLine, ReportId;
// Correlation: Both events must occur on the same device 
// and the escalation must happen shortly after the preparation (max. 10 minutes)
PreparationPhase
| join kind=inner EscalationPhase on DeviceName
| where EscalationTime >= PreparationTime and EscalationTime <= PreparationTime + 10m
| project PreparationTime, EscalationTime, DeviceName, UserAccount, PrepCommand, SuInitiator, ExecutedCommand
```

Explanation

This query is designed to detect a specific type of security threat on Linux systems, known as the "pedit COW exploit" (CVE-2026-46331). This exploit involves a two-step process that attackers use to gain unauthorized access or escalate their privileges on a system.

Here's a simplified breakdown of what the query does:

  1. Preparation Phase Detection:

    • The query first looks for signs that an attacker is preparing to exploit the system. This involves checking for certain commands that are typically used to manipulate system settings or create isolated environments (namespaces) for exploitation. Specifically, it searches for commands like unshare, tc action add, and pedit.
    • It filters out actions performed by system-level accounts like "root" or "system" to focus on potentially suspicious user activity.
    • The results include the time of the activity, the device name, the user account involved, the command executed, and the process ID.

  2. Escalation Phase Detection:

    • Next, the query looks for unusual processes that are spawned from the su command, which is used to switch user accounts. It checks for child processes that involve shell commands or actions like checking user identity (whoami, id) or changing file permissions (chmod).
    • This phase captures the time of the activity, the device name, the command executed, the process ID, and the command that initiated the su process.

  3. Correlation:

    • The query then correlates the two phases by ensuring that both occur on the same device and that the escalation phase happens within 10 minutes of the preparation phase.
    • It outputs details of the correlated events, including the times of both phases, the device name, the user account, the preparation command, the command that initiated the su process, and the executed command during escalation.

Overall, this query helps security teams identify and respond to potential privilege escalation attacks on Linux systems by detecting suspicious activity patterns associated with the pedit COW exploit.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: June 28, 2026

Tables

DeviceProcessEvents

Keywords

LinuxDevicesUserExploitDetectionPrivilegeEscalationProcessCommandTimestampAccountNameFolderPath

Operators

let|where>ago!in~has_anyorhasprojectin~joinkind=inner>=<=+

Actions