Linux Setgid Capability Set on a Binary via Setcap Utility

calendar Jan 24, 2026 · attack.privilege-escalation attack.defense-evasion attack.persistence attack.t1548 attack.t1554  ·
Share on: linkedin copy

Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file. This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group). This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.

Sigma rule (View on GitHub)

 1title: Linux Setgid Capability Set on a Binary via Setcap Utility
 2id: 3a716279-c18c-4488-83be-f9ececbfb9fc
 3status: experimental
 4description: |
 5    Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file.
 6    This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group).
 7    This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.    
 8references:
 9    - https://man7.org/linux/man-pages/man8/setcap.8.html
10    - https://dfir.ch/posts/linux_capabilities/
11    - https://juggernaut-sec.com/capabilities/#cap_setgid
12author: Luc Génaux
13date: 2026-01-24
14tags:
15    - attack.privilege-escalation
16    - attack.defense-evasion
17    - attack.persistence
18    - attack.t1548
19    - attack.t1554
20logsource:
21    product: linux
22    category: process_creation
23detection:
24    selection:
25        Image|endswith: '/setcap'
26        CommandLine|contains: 'cap_setgid'
27    condition: selection
28falsepositives:
29    - Unknown
30level: low

References

Related rules

to-top