SUID/SGID Bit Set

calendar Jun 27, 2024 · Domain: Endpoint OS: Linux OS: macOS Use Case: Threat Detection Tactic: Privilege Escalation Data Source: Elastic Defend  ·
Share on: linkedin copy

An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/04/23"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/06/19"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the
11owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in
12an application with the setuid or setgid bit to get code running in a different user’s context. Additionally,
13adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the
14future.
15"""
16from = "now-9m"
17index = ["auditbeat-*", "logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20max_signals = 33
21name = "SUID/SGID Bit Set"
22risk_score = 21
23rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
24severity = "low"
25tags = [
26    "Domain: Endpoint",
27    "OS: Linux",
28    "OS: macOS",
29    "Use Case: Threat Detection",
30    "Tactic: Privilege Escalation",
31    "Data Source: Elastic Defend",
32]
33timestamp_override = "event.ingested"
34type = "eql"
35query = '''
36process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
37  (process.name == "chmod" and (process.args : ("+s", "u+s", "g+s") or process.args regex "[24][0-9]{3}")) or
38  (process.name == "install" and process.args : "-m" and
39  (process.args : ("+s", "u+s", "g+s") or process.args regex "[24][0-9]{3}"))
40) and not (
41  process.parent.executable : (
42    "/usr/NX/*", "/var/lib/docker/*", "/var/lib/dpkg/info*", "/tmp/newroot/*",
43    "/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service"
44  ) or
45  process.args : (
46    "/run/*", "/var/run/*", "/usr/bin/keybase-redirector", "/usr/local/share/fonts", "/usr/bin/ssh-agent"
47  )
48)
49'''
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53
54[[rule.threat.technique]]
55id = "T1548"
56name = "Abuse Elevation Control Mechanism"
57reference = "https://attack.mitre.org/techniques/T1548/"
58
59[[rule.threat.technique.subtechnique]]
60id = "T1548.001"
61name = "Setuid and Setgid"
62reference = "https://attack.mitre.org/techniques/T1548/001/"
63
64[rule.threat.tactic]
65id = "TA0004"
66name = "Privilege Escalation"
67reference = "https://attack.mitre.org/tactics/TA0004/"
68
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71
72[rule.threat.tactic]
73id = "TA0003"
74name = "Persistence"
75reference = "https://attack.mitre.org/tactics/TA0003/"

Related rules

to-top