Setuid and Setgid

 1title: Setuid and Setgid
 2id: c21c4eaa-ba2e-419a-92b2-8371703cbe21
 3status: test
 4description: Detects suspicious change of file privileges with chown and chmod commands
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md
 7    - https://attack.mitre.org/techniques/T1548/001/
 8author: Ömer Günal
 9date: 2020/06/16
10modified: 2022/10/05
11tags:
12    - attack.persistence
13    - attack.t1548.001
14logsource:
15    product: linux
16    category: process_creation
17detection:
18    selection_root:
19        CommandLine|contains: 'chown root'
20    selection_perm:
21        CommandLine|contains:
22            - ' chmod u+s'
23            - ' chmod g+s'
24    condition: all of selection_*
25falsepositives:
26    - Legitimate administration activities
27level: low

References

• atomic-red-team/atomics/T1548.001/T1548.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• Abuse Elevation Control Mechanism: Setuid and Setgid, Sub-technique T1548.001 - Enterprise | MITRE ATT&CK®

  An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or m...

  
  Read More

Related rules

• Loading of Kernel Module via Insmod
• Systemd Service Reload or Start
• Scheduled task executing powershell encoded payload from registry
• Webshell Usage with ManageEngine Product
• Suspicious Commands by SQL Server