Setgid Bit Set via chmod
This rule has been deprecated as of 2021/03/16.
An adversary may add the setgid bit to a file or directory in order to run a file with the privileges of the owning group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.
Rule type: query
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 33
References:
Tags:
- Elastic
- Host
- Linux
- Threat Detection
- Privilege Escalation
Version: 100
Rule authors:
- Elastic
Rule license: Elastic License
event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(g+s OR /2[0-9]{3}/) AND NOT user.name:root
Framework: MITRE ATT&CK
Tactic:
- Name: Privilege Escalation
- Id: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Abuse Elevation Control Mechanism
- Id: T1548
- Reference URL: https://attack.mitre.org/techniques/T1548/
Sub Technique:
- Name: Setuid and Setgid
- Id: T1548.001
- Reference URL: https://attack.mitre.org/techniques/T1548/001/
Framework: MITRE ATT&CK
- Tactic:
- Name: Persistence
- Id: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/