Skip to content

Hide Navigation Hide TOC

Privilege Escalation and Admin Function Access - ATR-2026-00040 (43911b57-d4a7-5cdf-9bbe-9126bec10e3f)

Consolidated detection for privilege escalation attempts, covering both tool permission escalation and unauthorized admin function access. Detects when an agent requests or uses tools exceeding its permission scope, invokes administrative functions (user management, database admin, system config), attempts system-level operations (sudo, chmod, chown), container escape techniques (nsenter, chroot), or Kubernetes privilege escalation (kubectl exec). This rule enforces least-privilege boundaries across all agent tool interactions.

Cluster A Galaxy A Cluster B Galaxy B Level
AI Model Inference API Access (90a420d4-3f03-4800-86c0-223c4376804a) MITRE ATLAS Attack Pattern Privilege Escalation and Admin Function Access - ATR-2026-00040 (43911b57-d4a7-5cdf-9bbe-9126bec10e3f) Agent Threat Rules 1
Escape to Host - T1611 (4a5b7ade-8bb5-4853-84ed-23f262002665) Attack Pattern Privilege Escalation and Admin Function Access - ATR-2026-00040 (43911b57-d4a7-5cdf-9bbe-9126bec10e3f) Agent Threat Rules 1
Privilege Escalation and Admin Function Access - ATR-2026-00040 (43911b57-d4a7-5cdf-9bbe-9126bec10e3f) Agent Threat Rules Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 1
Privilege Escalation and Admin Function Access - ATR-2026-00040 (43911b57-d4a7-5cdf-9bbe-9126bec10e3f) Agent Threat Rules Command and Scripting Interpreter (716d3a6b-2f8c-4a1f-85f7-d884bb7b2800) MITRE ATLAS Attack Pattern 1