SUID/SGUID Enumeration Detected

This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID (Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/07/24"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/07/24"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID 
13(Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the 
14privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In
15case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this 
16misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program.
17"""
18from = "now-9m"
19index = ["logs-endpoint.events.*"]
20language = "eql"
21license = "Elastic License v2"
22name = "SUID/SGUID Enumeration Detected"
23risk_score = 21
24rule_id = "5b06a27f-ad72-4499-91db-0c69667bffa5"
25severity = "low"
26tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
27timestamp_override = "event.ingested"
28type = "eql"
29query = '''
30process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
31process.name == "find" and process.args : "-perm" and process.args : (
32  "/6000", "-6000", "/4000", "-4000", "/2000", "-2000", "/u=s", "-u=s", "/g=s", "-g=s", "/u=s,g=s", "/g=s,u=s"
33) and 
34not user.Ext.real.id == "0" and not group.Ext.real.id == "0"
35'''
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39
40[[rule.threat.technique]]
41id = "T1083"
42name = "File and Directory Discovery"
43reference = "https://attack.mitre.org/techniques/T1083/"
44
45[rule.threat.tactic]
46id = "TA0007"
47name = "Discovery"
48reference = "https://attack.mitre.org/tactics/TA0007/"
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52
53[[rule.threat.technique]]
54id = "T1548"
55name = "Abuse Elevation Control Mechanism"
56reference = "https://attack.mitre.org/techniques/T1548/"
57
58[[rule.threat.technique.subtechnique]]
59id = "T1548.001"
60name = "Setuid and Setgid"
61reference = "https://attack.mitre.org/techniques/T1548/001/"
62
63[rule.threat.tactic]
64id = "TA0004"
65name = "Privilege Escalation"
66reference = "https://attack.mitre.org/tactics/TA0004/"
67
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70
71[rule.threat.tactic]
72id = "TA0003"
73name = "Persistence"
74reference = "https://attack.mitre.org/tactics/TA0003/"

Related rules

to-top