SUID/SGID Bit Set

An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/04/23"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/09/23"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the
11owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in
12an application with the setuid or setgid bit to get code running in a different user’s context. Additionally,
13adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the
14future.
15"""
16from = "now-9m"
17index = ["auditbeat-*", "logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20max_signals = 33
21name = "SUID/SGID Bit Set"
22references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
23risk_score = 21
24rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
25severity = "low"
26tags = [
27    "Domain: Endpoint",
28    "OS: Linux",
29    "OS: macOS",
30    "Use Case: Threat Detection",
31    "Tactic: Privilege Escalation",
32    "Data Source: Elastic Defend",
33]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
39  (process.name == "chmod" and (process.args : ("+s", "u+s", "g+s") or process.args regex "[24][0-9]{3}")) or
40  (process.name == "install" and process.args : "-m" and
41  (process.args : ("+s", "u+s", "g+s") or process.args regex "[24][0-9]{3}"))
42) and not (
43  process.parent.executable : (
44    "/usr/NX/*", "/var/lib/docker/*", "/var/lib/dpkg/info*", "/tmp/newroot/*",
45    "/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service"
46  ) or
47  process.args : (
48    "/run/*", "/var/run/*", "/usr/bin/keybase-redirector", "/usr/local/share/fonts", "/usr/bin/ssh-agent"
49  )
50)
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1548"
58name = "Abuse Elevation Control Mechanism"
59reference = "https://attack.mitre.org/techniques/T1548/"
60[[rule.threat.technique.subtechnique]]
61id = "T1548.001"
62name = "Setuid and Setgid"
63reference = "https://attack.mitre.org/techniques/T1548/001/"
64
65
66
67[rule.threat.tactic]
68id = "TA0004"
69name = "Privilege Escalation"
70reference = "https://attack.mitre.org/tactics/TA0004/"
71[[rule.threat]]
72framework = "MITRE ATT&CK"
73
74[rule.threat.tactic]
75id = "TA0003"
76name = "Persistence"
77reference = "https://attack.mitre.org/tactics/TA0003/"

References

Related rules

to-top