Setgid Bit Set via chmod

 1[metadata]
 2creation_date = "2020/04/23"
 3deprecation_date = "2021/03/16"
 4maturity = "deprecated"
 5updated_date = "2021/03/16"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10An adversary may add the setgid bit to a file or directory in order to run a file with the privileges of the owning
11group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application
12with the setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism
13on their own malware to make sure they're able to execute in elevated contexts in the future.
14"""
15from = "now-9m"
16index = ["auditbeat-*", "logs-endpoint.events.*"]
17language = "lucene"
18license = "Elastic License"
19max_signals = 33
20name = "Setgid Bit Set via chmod"
21risk_score = 21
22rule_id = "3a86e085-094c-412d-97ff-2439731e59cb"
23severity = "low"
24tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
25timestamp_override = "event.ingested"
26type = "query"
27
28query = '''
29event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(g+s OR /2[0-9]{3}/) AND NOT user.name:root
30'''
31
32
33[[rule.threat]]
34framework = "MITRE ATT&CK"
35[[rule.threat.technique]]
36id = "T1548"
37name = "Abuse Elevation Control Mechanism"
38reference = "https://attack.mitre.org/techniques/T1548/"
39[[rule.threat.technique.subtechnique]]
40id = "T1548.001"
41name = "Setuid and Setgid"
42reference = "https://attack.mitre.org/techniques/T1548/001/"
43
44
45
46[rule.threat.tactic]
47id = "TA0004"
48name = "Privilege Escalation"
49reference = "https://attack.mitre.org/tactics/TA0004/"
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52
53[rule.threat.tactic]
54id = "TA0003"
55name = "Persistence"
56reference = "https://attack.mitre.org/tactics/TA0003/"