Setuid / Setgid Bit Set via chmod

An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/04/23"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the
11owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in
12an application with the setuid or setgid bit to get code running in a different user’s context. Additionally,
13adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the
14future.
15"""
16from = "now-9m"
17index = ["auditbeat-*", "logs-endpoint.events.*"]
18language = "lucene"
19license = "Elastic License v2"
20max_signals = 33
21name = "Setuid / Setgid Bit Set via chmod"
22risk_score = 21
23rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
24severity = "low"
25tags = [
26    "Domain: Endpoint",
27    "OS: Linux",
28    "OS: macOS",
29    "Use Case: Threat Detection",
30    "Tactic: Privilege Escalation",
31    "Data Source: Elastic Defend",
32]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.category:process AND event.type:(start OR process_started) AND
38 process.name:chmod AND process.args:("+s" OR "u+s" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/) AND
39 NOT process.args:
40           (
41             /.*\/Applications\/VirtualBox.app\/.+/ OR
42             /\/usr\/local\/lib\/python.+/ OR
43             /\/var\/folders\/.+\/FP.*nstallHelper/ OR
44             /\/Library\/Filesystems\/.+/ OR
45             /\/usr\/lib\/virtualbox\/.+/ OR
46             /\/Library\/Application.*/ OR
47             "/run/postgresql" OR
48             "/var/crash" OR
49             "/var/run/postgresql" OR
50             /\/usr\/bin\/.+/ OR /\/usr\/local\/share\/.+/ OR
51             /\/Applications\/.+/ OR /\/usr\/libexec\/.+/ OR
52             "/var/metrics" OR /\/var\/lib\/dpkg\/.+/ OR
53             /\/run\/log\/journal\/.*/ OR
54             \/Users\/*\/.minikube\/bin\/docker-machine-driver-hyperkit
55           ) AND
56 NOT process.parent.executable:
57           (
58             /\/var\/lib\/docker\/.+/ OR
59             "/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service" OR
60             "/var/lib/dpkg/info/whoopsie.postinst"
61           )
62'''
63
64
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67[[rule.threat.technique]]
68id = "T1548"
69name = "Abuse Elevation Control Mechanism"
70reference = "https://attack.mitre.org/techniques/T1548/"
71[[rule.threat.technique.subtechnique]]
72id = "T1548.001"
73name = "Setuid and Setgid"
74reference = "https://attack.mitre.org/techniques/T1548/001/"
75
76
77
78[rule.threat.tactic]
79id = "TA0004"
80name = "Privilege Escalation"
81reference = "https://attack.mitre.org/tactics/TA0004/"
82[[rule.threat]]
83framework = "MITRE ATT&CK"
84
85[rule.threat.tactic]
86id = "TA0003"
87name = "Persistence"
88reference = "https://attack.mitre.org/tactics/TA0003/"

Related rules

to-top