Linux Capabilities Discovery
Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
Sigma rule (View on GitHub)
1title: Linux Capabilities Discovery
2id: fe10751f-1995-40a5-aaa2-c97ccb4123fe
3status: test
4description: Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
5references:
6 - https://man7.org/linux/man-pages/man8/getcap.8.html
7 - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/
8 - https://mn3m.info/posts/suid-vs-capabilities/
9 - https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099
10author: 'Pawel Mazur'
11date: 2021-11-28
12modified: 2022-12-25
13tags:
14 - attack.collection
15 - attack.privilege-escalation
16 - attack.t1123
17 - attack.t1548
18logsource:
19 product: linux
20 service: auditd
21detection:
22 selection:
23 type: EXECVE
24 a0: getcap
25 a1: '-r'
26 a2: '/'
27 condition: selection
28falsepositives:
29 - Unknown
30level: low
References
-
getcap(8) — Linux manual page GETCAP(8) System Manager's Manual GETCAP(8) NAME top getcap - examine file capabilities SYNOPSIS top getcap [-v] [-n] [-r] [-h] filename [ ... ] DESCRI...
Read More -
In this article, we will discuss the mechanism of “capability” and Privilege escalation by abusing it. As we know when the system creates a work
Read More -
Related rules
- AWS STS AssumeRole Misuse
- AWS STS GetSessionToken Misuse
- AWS Suspicious SAML Activity
- Abused Debug Privilege by Arbitrary Parent Processes
- Audio Capture