Find Binary Searching for Executables with Setuid or Setguid Bit (RedCanary Threat Detection Report)
Detects search for setuid or setgid binaries. This rule looks specifically for execution of the find binary searching for executables with the setuid or setgid bit set. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Find Binary Searching for Executables with Setuid or Setguid Bit (RedCanary Threat Detection Report)
2id: 1312409d-9cf1-43c4-82dd-25f5ef59283c
3status: experimental
4description: |
5 Detects search for setuid or setgid binaries. This rule looks specifically for execution of the find
6 binary searching for executables with the setuid or setgid bit set. Part of the RedCanary 2023
7 Threat Detection Report.
8references:
9 - https://redcanary.com/threat-detection-report/techniques/setuid-setgid/
10author: RedCanary, Sigma formatting by Micah Babinski
11date: 2023/05/10
12tags:
13 - attack.privilege_escalation
14 - attack.t1548.001
15logsource:
16 category: process_creation
17 product: linux
18detection:
19 selection_1:
20 Image|contains: 'find'
21 selection_2:
22 CommandLine|contains: '-perm'
23 selection_3:
24 CommandLine|contains:
25 - '4000'
26 - '2000'
27 - 'u=s'
28 - 'g=s'
29 condition: all of selection_*
30falsepositives:
31 - Unknown
32level: low```
References
-
Adversaries modify setuid (set user ID) and setguid (set group ID) bits to elevate their permissions in macOS and Linux environments.
Read More
Related rules
- Potential Gamarue DLL Filename (RedCanary Threat Detection Report)
- Powershell Injecting Into Anything (RedCanary Threat Detection Report)
- Process Executing Sans Command Line (RedCanary Threat Detection Report)
- Suspicious Network Connections (RedCanary Threat Detection Report)
- Potential Persistence Via PowerShell User Profile Using Add-Content