SUID/SGID Bit Set
An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/04/23"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/09/23"
6
7[rule]
8author = ["Elastic"]
9description = """
10An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the
11owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in
12an application with the setuid or setgid bit to get code running in a different user’s context. Additionally,
13adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the
14future.
15"""
16from = "now-9m"
17index = ["auditbeat-*", "logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20max_signals = 33
21name = "SUID/SGID Bit Set"
22references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
23risk_score = 21
24rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
25severity = "low"
26tags = [
27 "Domain: Endpoint",
28 "OS: Linux",
29 "OS: macOS",
30 "Use Case: Threat Detection",
31 "Tactic: Privilege Escalation",
32 "Data Source: Elastic Defend",
33]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
39 (process.name == "chmod" and (process.args : ("+s", "u+s", "g+s") or process.args regex "[24][0-9]{3}")) or
40 (process.name == "install" and process.args : "-m" and
41 (process.args : ("+s", "u+s", "g+s") or process.args regex "[24][0-9]{3}"))
42) and not (
43 process.parent.executable : (
44 "/usr/NX/*", "/var/lib/docker/*", "/var/lib/dpkg/info*", "/tmp/newroot/*",
45 "/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service"
46 ) or
47 process.args : (
48 "/run/*", "/var/run/*", "/usr/bin/keybase-redirector", "/usr/local/share/fonts", "/usr/bin/ssh-agent"
49 )
50)
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1548"
58name = "Abuse Elevation Control Mechanism"
59reference = "https://attack.mitre.org/techniques/T1548/"
60[[rule.threat.technique.subtechnique]]
61id = "T1548.001"
62name = "Setuid and Setgid"
63reference = "https://attack.mitre.org/techniques/T1548/001/"
64
65
66
67[rule.threat.tactic]
68id = "TA0004"
69name = "Privilege Escalation"
70reference = "https://attack.mitre.org/tactics/TA0004/"
71[[rule.threat]]
72framework = "MITRE ATT&CK"
73
74[rule.threat.tactic]
75id = "TA0003"
76name = "Persistence"
77reference = "https://attack.mitre.org/tactics/TA0003/"
References
Related rules
- Potential Privilege Escalation via Sudoers File Modification
- Sudoers File Modification
- Sudo Heap-Based Buffer Overflow Attempt
- At Job Created or Modified
- Potential Reverse Shell Activity via Terminal