Setuid and Setgid
Detects suspicious change of file privileges with chown and chmod commands
Sigma rule (View on GitHub)
1title: Setuid and Setgid
2id: c21c4eaa-ba2e-419a-92b2-8371703cbe21
3status: test
4description: Detects suspicious change of file privileges with chown and chmod commands
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md
7author: Ömer Günal
8date: 2020-06-16
9modified: 2022-10-05
10tags:
11 - attack.defense-evasion
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.t1548.001
15logsource:
16 product: linux
17 category: process_creation
18detection:
19 selection_root:
20 CommandLine|contains: 'chown root'
21 selection_perm:
22 CommandLine|contains:
23 - ' chmod u+s'
24 - ' chmod g+s'
25 condition: all of selection_*
26falsepositives:
27 - Legitimate administration activities
28level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- APT27 - Emissary Panda Activity
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation
- AWS Key Pair Import Activity