Setgid Bit Set via chmod | SIEM Guide [7.8]

The SIEM app is now a part of the Elastic Security solution. Click here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.

› › ›

« SSH (Secure Shell) to the Internet Setuid Bit Set via chmod »

Setgid Bit Set via chmodedit

An adversary may add the setgid bit to a file or directory in order to run a file with the privileges of the owning group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they’re able to execute in elevated contexts in the future.

Rule type: query

Rule indices:

auditbeat-*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 33

Tags:

Elastic
Linux

Version: 1

Added (Elastic Stack release): 7.8.0

Rule queryedit

event.action:(executed OR process_started) AND process.name:chmod AND
process.args:(g+s OR /2[0-9]{3}/) AND NOT user.name:root

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Setuid and Setgid
- ID: T1166
- Reference URL: https://attack.mitre.org/techniques/T1166/
Tactic:
- Name: Persistence
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Setuid and Setgid
- ID: T1166
- Reference URL: https://attack.mitre.org/techniques/T1166/

« SSH (Secure Shell) to the Internet Setuid Bit Set via chmod »