Setuid / Setgid Bit Set via chmod

calendar Sep 5, 2023 · Domain: Endpoint OS: Linux OS: macOS Use Case: Threat Detection Tactic: Privilege Escalation Data Source: Elastic Defend  ·
Share on: linkedin copy

An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/04/23"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the
13owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in
14an application with the setuid or setgid bit to get code running in a different user’s context. Additionally,
15adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the
16future.
17"""
18from = "now-9m"
19index = ["auditbeat-*", "logs-endpoint.events.*"]
20language = "lucene"
21license = "Elastic License v2"
22max_signals = 33
23name = "Setuid / Setgid Bit Set via chmod"
24risk_score = 21
25rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
26severity = "low"
27tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32event.category:process AND event.type:(start OR process_started) AND
33 process.name:chmod AND process.args:("+s" OR "u+s" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/) AND
34 NOT process.args:
35           (
36             /.*\/Applications\/VirtualBox.app\/.+/ OR
37             /\/usr\/local\/lib\/python.+/ OR
38             /\/var\/folders\/.+\/FP.*nstallHelper/ OR
39             /\/Library\/Filesystems\/.+/ OR
40             /\/usr\/lib\/virtualbox\/.+/ OR
41             /\/Library\/Application.*/ OR
42             "/run/postgresql" OR
43             "/var/crash" OR
44             "/var/run/postgresql" OR
45             /\/usr\/bin\/.+/ OR /\/usr\/local\/share\/.+/ OR
46             /\/Applications\/.+/ OR /\/usr\/libexec\/.+/ OR
47             "/var/metrics" OR /\/var\/lib\/dpkg\/.+/ OR
48             /\/run\/log\/journal\/.*/ OR
49             \/Users\/*\/.minikube\/bin\/docker-machine-driver-hyperkit
50           ) AND
51 NOT process.parent.executable:
52           (
53             /\/var\/lib\/docker\/.+/ OR
54             "/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service" OR
55             "/var/lib/dpkg/info/whoopsie.postinst"
56           )
57'''
58
59
60[[rule.threat]]
61framework = "MITRE ATT&CK"
62[[rule.threat.technique]]
63id = "T1548"
64name = "Abuse Elevation Control Mechanism"
65reference = "https://attack.mitre.org/techniques/T1548/"
66[[rule.threat.technique.subtechnique]]
67id = "T1548.001"
68name = "Setuid and Setgid"
69reference = "https://attack.mitre.org/techniques/T1548/001/"
70
71
72
73[rule.threat.tactic]
74id = "TA0004"
75name = "Privilege Escalation"
76reference = "https://attack.mitre.org/tactics/TA0004/"
77[[rule.threat]]
78framework = "MITRE ATT&CK"
79
80[rule.threat.tactic]
81id = "TA0003"
82name = "Persistence"
83reference = "https://attack.mitre.org/tactics/TA0003/"

Related rules

to-top