T1068 Exploitation for Privilege Escalation Exploitation of vulnerable sudo version to gain elevated privileges
T1611 Escape to Host Abuse of container context (Docker) to escalate privileges on the host
T1059.004 Command and Scripting Interpreter Unix Shell Execution of bash commands to run exploit code
T1105 Ingress Tool Transfer Exploit code downloaded to the system prior to execution
The alert SOC341 Local Privilege Escalation via chroot CVE-2025-32463 triggered after suspicious use of sudo -R was detected on host ubuntu-dev. Investigation confirmed the system was running a vulnerable sudo version (1.8). The user downloaded a public exploit and executed it within a Docker container to gain elevated privileges.
Jul 04 2025 08:10 AM
Host ubuntu-dev (172.16.20.56). Activity observed within a Docker environment using bash and sudo commands
The alert was triggered due to detection of behavior consistent with exploitation of CVE-2025-32463. Endpoint investigation confirmed the presence of a vulnerable sudo version and execution of exploit code leading to privilege escalation. The activity represents a successful local privilege escalation attempt. The affected system was contained to prevent further compromise and potential lateral movement
helpful command
docker exec -it <container_name_or_id> /bin/bash
cve - https://nvd.nist.gov/vuln/detail/cve-2025-32463