We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Behavior:Linux/Pkexec.B
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This threat is associated with the exploitation of the local privilege escalation vulnerability CVE-2021-4034 in Polkit's pkexec utility, tracked publicly as PwnKit. This vulnerability allows unprivileged users to gain administrative privileges and launch commands and arbitrary code as root users on the target device.
Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
- Verify whether this device has the vulnerable Polkit component installed on it.
- Identify whether there was any possible exploitation attempt by looking for newly created files and newly launched processes on the device.
- Look for any post-exploitation activities on the device.
- Remediate the threat. Clean up or reinstall affected devices to remove malicious components and return them to a clean state. Reset passwords of affected accounts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
