Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities
Identifies instances where a processes (granted CAP_CHOWN and/or CAP_FOWNER capabilities) is executed, after which the ownership of a suspicious file or binary is changed. In Linux, the CAP_CHOWN capability allows a process to change the owner of a file, while CAP_FOWNER permits it to bypass permission checks on operations that require file ownership (like reading, writing, and executing). Attackers may abuse these capabilities to obtain unauthorized access to files.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/01/08"
3integration = ["endpoint", "auditd_manager"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies instances where a processes (granted CAP_CHOWN and/or CAP_FOWNER capabilities) is executed, after which the
11ownership of a suspicious file or binary is changed. In Linux, the CAP_CHOWN capability allows a process to change the
12owner of a file, while CAP_FOWNER permits it to bypass permission checks on operations that require file ownership (like
13reading, writing, and executing). Attackers may abuse these capabilities to obtain unauthorized access to files.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities"
20risk_score = 47
21rule_id = "d55abdfb-5384-402b-add4-6c401501b0c3"
22setup = """## Setup
23
24
25This rule requires data coming in from Auditd Manager.
26
27### Auditd Manager Integration Setup
28The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
29Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
30
31#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System:
32- Go to the Kibana home page and click “Add integrations”.
33- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
34- Click “Add Auditd Manager”.
35- Configure the integration name and optionally add a description.
36- Review optional and advanced settings accordingly.
37- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
38- Click “Save and Continue”.
39- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
40
41#### Rule Specific Setup Note
42Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
43However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
44- For this detection rule the following additional audit rules are required to be added to the integration:
45 -- "-w /etc/ -p rwxa -k audit_recursive_etc"
46 -- "-w /root/ -p rwxa -k audit_root"
47"""
48severity = "medium"
49tags = [
50 "Data Source: Auditd Manager",
51 "Domain: Endpoint",
52 "OS: Linux",
53 "Use Case: Threat Detection",
54 "Tactic: Privilege Escalation",
55 "Data Source: Elastic Defend",
56 "Resources: Investigation Guide",
57]
58type = "eql"
59
60query = '''
61sequence by host.id, process.pid with maxspan=1s
62 [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
63 process.name != null and process.thread.capabilities.effective : ("CAP_CHOWN", "CAP_FOWNER") and
64 process.command_line : ("*sudoers*", "*passwd*", "*shadow*", "*/root/*") and user.id != "0"]
65 [file where host.os.type == "linux" and event.action == "changed-file-ownership-of" and event.type == "change" and
66 event.outcome == "success" and file.path in (
67 "/etc/passwd",
68 "/etc/shadow",
69 "/etc/sudoers",
70 "/root/.ssh/*"
71 ) and user.id != "0"
72 ]
73'''
74note = """## Triage and analysis
75
76> **Disclaimer**:
77> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
78
79### Investigating Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities
80
81In Linux, CAP_CHOWN and CAP_FOWNER are capabilities that allow processes to change file ownership and bypass file permission checks, respectively. Adversaries exploit these to gain unauthorized access to sensitive files, such as password or configuration files. The detection rule identifies suspicious processes with these capabilities that alter ownership of critical files, signaling potential privilege escalation attempts.
82
83### Possible investigation steps
84
85- Review the process details, including process.name and process.command_line, to understand the context of the executed process and its intended function.
86- Check the user.id associated with the process to determine if the process was executed by a non-root user, which could indicate unauthorized privilege escalation attempts.
87- Investigate the file.path that had its ownership changed to assess the potential impact, focusing on critical files like /etc/passwd, /etc/shadow, /etc/sudoers, and /root/.ssh/*.
88- Analyze the sequence of events by examining the host.id and process.pid to identify any related processes or activities that occurred within the maxspan=1s timeframe.
89- Correlate the event with other logs or alerts from the same host to identify any patterns or additional suspicious activities that might indicate a broader attack or compromise.
90
91### False positive analysis
92
93- System administration scripts or automated processes may legitimately use CAP_CHOWN or CAP_FOWNER capabilities to manage file permissions or ownership. Review and whitelist these processes if they are verified as non-malicious.
94- Backup or restoration operations often require changing file ownership and permissions. Identify and exclude these operations from triggering alerts by specifying known backup tools or scripts.
95- Software installation or update processes might alter file ownership as part of their normal operation. Monitor and exclude these processes if they are part of a trusted software management system.
96- Development or testing environments may have scripts that modify file ownership for testing purposes. Ensure these environments are properly segmented and exclude known development scripts from detection.
97- Custom user scripts that require elevated permissions for legitimate tasks should be reviewed and, if deemed safe, added to an exception list to prevent false positives.
98
99### Response and remediation
100
101- Immediately isolate the affected host from the network to prevent further unauthorized access or data exfiltration.
102- Terminate any suspicious processes identified with CAP_CHOWN or CAP_FOWNER capabilities that are altering file ownership, especially those targeting critical files like /etc/passwd or /etc/shadow.
103- Revert any unauthorized changes to file ownership or permissions on critical files to their original state to restore system integrity.
104- Conduct a thorough review of user accounts and privileges on the affected system to identify and disable any unauthorized accounts or privilege escalations.
105- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.
106- Implement additional monitoring on the affected host and similar systems to detect any further attempts to exploit CAP_CHOWN or CAP_FOWNER capabilities.
107- Review and update security policies and configurations to restrict the assignment of CAP_CHOWN and CAP_FOWNER capabilities to only trusted and necessary processes."""
108
109
110[[rule.threat]]
111framework = "MITRE ATT&CK"
112[[rule.threat.technique]]
113id = "T1068"
114name = "Exploitation for Privilege Escalation"
115reference = "https://attack.mitre.org/techniques/T1068/"
116
117
118[rule.threat.tactic]
119id = "TA0004"
120name = "Privilege Escalation"
121reference = "https://attack.mitre.org/tactics/TA0004/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities
In Linux, CAP_CHOWN and CAP_FOWNER are capabilities that allow processes to change file ownership and bypass file permission checks, respectively. Adversaries exploit these to gain unauthorized access to sensitive files, such as password or configuration files. The detection rule identifies suspicious processes with these capabilities that alter ownership of critical files, signaling potential privilege escalation attempts.
Possible investigation steps
- Review the process details, including process.name and process.command_line, to understand the context of the executed process and its intended function.
- Check the user.id associated with the process to determine if the process was executed by a non-root user, which could indicate unauthorized privilege escalation attempts.
- Investigate the file.path that had its ownership changed to assess the potential impact, focusing on critical files like /etc/passwd, /etc/shadow, /etc/sudoers, and /root/.ssh/*.
- Analyze the sequence of events by examining the host.id and process.pid to identify any related processes or activities that occurred within the maxspan=1s timeframe.
- Correlate the event with other logs or alerts from the same host to identify any patterns or additional suspicious activities that might indicate a broader attack or compromise.
False positive analysis
- System administration scripts or automated processes may legitimately use CAP_CHOWN or CAP_FOWNER capabilities to manage file permissions or ownership. Review and whitelist these processes if they are verified as non-malicious.
- Backup or restoration operations often require changing file ownership and permissions. Identify and exclude these operations from triggering alerts by specifying known backup tools or scripts.
- Software installation or update processes might alter file ownership as part of their normal operation. Monitor and exclude these processes if they are part of a trusted software management system.
- Development or testing environments may have scripts that modify file ownership for testing purposes. Ensure these environments are properly segmented and exclude known development scripts from detection.
- Custom user scripts that require elevated permissions for legitimate tasks should be reviewed and, if deemed safe, added to an exception list to prevent false positives.
Response and remediation
- Immediately isolate the affected host from the network to prevent further unauthorized access or data exfiltration.
- Terminate any suspicious processes identified with CAP_CHOWN or CAP_FOWNER capabilities that are altering file ownership, especially those targeting critical files like /etc/passwd or /etc/shadow.
- Revert any unauthorized changes to file ownership or permissions on critical files to their original state to restore system integrity.
- Conduct a thorough review of user accounts and privileges on the affected system to identify and disable any unauthorized accounts or privilege escalations.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.
- Implement additional monitoring on the affected host and similar systems to detect any further attempts to exploit CAP_CHOWN or CAP_FOWNER capabilities.
- Review and update security policies and configurations to restrict the assignment of CAP_CHOWN and CAP_FOWNER capabilities to only trusted and necessary processes.
Related rules
- Kernel Load or Unload via Kexec Detected
- Potential Sudo Privilege Escalation via CVE-2019-14287
- Potential Unauthorized Access via Wildcard Injection Detected
- Suspicious Passwd File Event Action
- AWS SSM `SendCommand` with Run Shell Command Parameters