Setgid Bit Set via chmod

An adversary may add the setgid bit to a file or directory in order to run a file with the privileges of the owning group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/04/23"
 3deprecation_date = "2021/03/16"
 4maturity = "deprecated"
 5updated_date = "2021/03/16"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10An adversary may add the setgid bit to a file or directory in order to run a file with the privileges of the owning
11group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application
12with the setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism
13on their own malware to make sure they're able to execute in elevated contexts in the future.
14"""
15from = "now-9m"
16index = ["auditbeat-*", "logs-endpoint.events.*"]
17language = "lucene"
18license = "Elastic License"
19max_signals = 33
20name = "Setgid Bit Set via chmod"
21risk_score = 21
22rule_id = "3a86e085-094c-412d-97ff-2439731e59cb"
23severity = "low"
24tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
25timestamp_override = "event.ingested"
26type = "query"
27
28query = '''
29event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(g+s OR /2[0-9]{3}/) AND NOT user.name:root
30'''
31
32
33[[rule.threat]]
34framework = "MITRE ATT&CK"
35[[rule.threat.technique]]
36id = "T1548"
37name = "Abuse Elevation Control Mechanism"
38reference = "https://attack.mitre.org/techniques/T1548/"
39[[rule.threat.technique.subtechnique]]
40id = "T1548.001"
41name = "Setuid and Setgid"
42reference = "https://attack.mitre.org/techniques/T1548/001/"
43
44
45
46[rule.threat.tactic]
47id = "TA0004"
48name = "Privilege Escalation"
49reference = "https://attack.mitre.org/tactics/TA0004/"
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52
53[rule.threat.tactic]
54id = "TA0003"
55name = "Persistence"
56reference = "https://attack.mitre.org/tactics/TA0003/"

to-top