Linux Capabilities Discovery

 1title: Linux Capabilities Discovery
 2id: fe10751f-1995-40a5-aaa2-c97ccb4123fe
 3status: test
 4description: Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.
 5references:
 6    - https://man7.org/linux/man-pages/man8/getcap.8.html
 7    - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/
 8    - https://mn3m.info/posts/suid-vs-capabilities/
 9    - https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099
10author: 'Pawel Mazur'
11date: 2021-11-28
12modified: 2022-12-25
13tags:
14    - attack.defense-evasion
15    - attack.collection
16    - attack.privilege-escalation
17    - attack.t1123
18    - attack.t1548
19logsource:
20    product: linux
21    service: auditd
22detection:
23    selection:
24        type: EXECVE
25        a0: getcap
26        a1: '-r'
27        a2: '/'
28    condition: selection
29falsepositives:
30    - Unknown
31level: low

References

• getcap(8) - Linux manual page

  getcap(8) — Linux manual page GETCAP(8) System Manager's Manual GETCAP(8) NAME         top getcap - examine file capabilities SYNOPSIS         top getcap [-v] [-n] [-r] [-h] filename [ ... ] DESCRI...

  
  Read More

• Linux Privilege Escalation using Capabilities

  

  Exploit Linux capabilities for privilege escalation: Bypass restrictions, gain root access, and secure misconfigured systems.

  
  Read More

• SUID vs Capabilities :: mn3m

  

  Review SUID vs Capabilities to gain privileges in practice;

  
  Read More

• Day 44: Linux Capabilities Privilege Escalation via OpenSSL with SELinux Enabled and Enforced.

  

  Linux Capabilities

  
  Read More

Related rules

• AWS STS AssumeRole Misuse
• AWS STS GetSessionToken Misuse
• AWS Suspicious SAML Activity
• Abused Debug Privilege by Arbitrary Parent Processes
• CA Policy Removed by Non Approved Actor