T1548.001 Setuid and Setgid Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1548.001 — Setuid/Setgid abuse detection on Linux/macOS endpoints
// Requires Linux or macOS endpoints enrolled in Defender for Endpoint
// Part 1: Detect chmod setting SUID/SGID bits
let ChmodSUID = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("chmod")
| where ProcessCommandLine has_any ("4777", "4755", "4711", "u+s", "+s",
                                    "2777", "2755", "g+s", "6777", "6755")
| extend SetUID = ProcessCommandLine has_any ("4777", "4755", "4711", "u+s")
| extend SetGID = ProcessCommandLine has_any ("2777", "2755", "g+s")
| extend DetectionType = "Chmod_SUID_SGID_Set"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          SetUID, SetGID, DetectionType;
// Part 2: Detect find commands searching for SUID/SGID binaries (attacker recon)
let FindSUID = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "find"
| where ProcessCommandLine has_any ("-perm +4000", "-perm -4000", "-perm /4000",
                                    "-perm +2000", "-perm -2000", "-perm /2000",
                                    "-perm +6000", "setuid", "setgid")
| extend DetectionType = "Find_SUID_SGID_Discovery"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 3: Detect unexpected SUID binaries executing as root from non-standard paths
let SUIDBinaryExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where AccountName =~ "root"
| where FolderPath has_any ("/tmp/", "/var/tmp/", "/dev/shm/", "/home/")
| extend DetectionType = "Root_Exec_From_User_Path"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, DetectionType;
union ChmodSUID, FindSUID, SUIDBinaryExec
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation File: File Metadata Microsoft Defender for Endpoint (Linux/macOS)

Required Tables

DeviceProcessEvents

False Positives

System administrators legitimately setting SUID on binaries that require it (e.g., ping, passwd, sudo itself)
Package manager installations (apt, yum, dnf) that set appropriate SUID bits on system utilities
Security auditors running find commands to enumerate SUID binaries during authorized security assessments
Software build systems that set SUID bits on installed binaries as part of the build process

Splunk

spl

index=linux_logs (sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="auditd")
| eval detection_type=case(
    sourcetype="auditd" AND match(_raw, "(?i)(chmod|fchmod)") AND
      match(_raw, "(?i)(4[0-7]{3}|u\+s|2[0-7]{3}|g\+s|6[0-7]{3})"),
      "Auditd_Chmod_SUID_SGID",
    sourcetype="syslog" AND match(_raw, "(?i)chmod.*([+]s|4[0-7]{3}|2[0-7]{3})"),
      "Syslog_SUID_Set",
    match(_raw, "(?i)find.*(-perm.*(\+4000|\-4000|/4000|\+2000|\-2000|setuid|setgid))"),
      "Find_SUID_Discovery",
    true(), null()
  )
| where isnotnull(detection_type)
| eval user=coalesce(user, extractSlow("uid=(\\d+)", _raw))
| table _time, host, user, detection_type, _raw
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Linux Auditd: chmod/fchmod syscalls Syslog

Required Sourcetypes

linux_secure syslog auditd

False Positives

Package manager post-install scripts setting SUID on system utilities
System administrators setting SUID on authorized binaries
Security audit scripts enumerating SUID files

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and
   process.name == "chmod" and
   process.args : ("4777", "4755", "4711", "u+s", "+s", "2777", "2755", "g+s", "6777", "6755")]

any where
  [
    process where event.type == "start" and
    process.name == "chmod" and
    process.args : ("4777", "4755", "4711", "u+s", "+s", "2777", "2755", "g+s", "6777", "6755")
  ] or
  [
    process where event.type == "start" and
    process.name == "find" and
    process.args : ("-perm") and
    process.args : ("+4000", "-4000", "/4000", "+2000", "-2000", "/2000", "+6000", "setuid", "setgid")
  ] or
  [
    process where event.type == "start" and
    user.name == "root" and
    process.executable : ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/home/*")
  ]

high severity high confidence

Data Sources

Endpoint (Elastic Agent or Auditbeat) Linux/macOS process telemetry via auditd or eBPF

Required Tables

logs-endpoint.events.process-* auditbeat-*

False Positives

System administrators legitimately setting SUID on custom tools or internal scripts as part of configuration management (e.g., Ansible, Puppet runs)
Security teams running SUID discovery scans with find as part of authorized vulnerability assessments or CIS benchmark checks
Software installers and package managers (apt, yum, pip install) that set SUID bits on installed binaries during installation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  LOGSOURCENAME(logsourceid) AS log_source,
  "Command" AS command_line,
  CASE
    WHEN UTF8(payload) IMATCHES '(?i)chmod.*(4[0-7]{3}|u\+s|2[0-7]{3}|g\+s|6[0-7]{3})'
      THEN 'Chmod_SUID_SGID_Set'
    WHEN UTF8(payload) IMATCHES '(?i)find.*(\-perm).*(\+4000|\-4000|\/4000|\+2000|\-2000|setuid|setgid)'
      THEN 'Find_SUID_Discovery'
    WHEN username = 'root' AND UTF8(payload) IMATCHES '(?i)(\/tmp\/|\/var\/tmp\/|\/dev\/shm\/|\/home\/)'
      THEN 'Root_Exec_From_Writable_Path'
    ELSE 'Unknown'
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID IN (11, 12, 191, 352)
  AND (
    UTF8(payload) IMATCHES '(?i)chmod.*(4[0-7]{3}|u\+s|2[0-7]{3}|g\+s|6[0-7]{3})'
    OR (
      UTF8(payload) IMATCHES '(?i)find.*\-perm'
      AND UTF8(payload) IMATCHES '(?i)(\+4000|\-4000|\/4000|\+2000|\-2000|setuid|setgid)'
    )
    OR (
      username = 'root'
      AND UTF8(payload) IMATCHES '(?i)(\/tmp|\/var\/tmp|\/dev\/shm|\/home\/)'
      AND LOGSOURCETYPEID = 191
    )
  )
  AND devicetime > NOW() - 86400000
ORDER BY devicetime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Linux syslog (auditd) Linux OS log source in QRadar Unix Authentication log source

Required Tables

events

False Positives

Configuration management tools such as Chef or Ansible legitimately setting SUID bits during system hardening or software deployment
Penetration testers or red team operators running authorized SUID discovery with find as part of privilege escalation enumeration phases
Root-owned daemon processes legitimately launching helper binaries stored in home directories during development or staging environments

Sumo Logic CSE

sql

(_sourceCategory="linux*" OR _sourceCategory="auditd*" OR _sourceCategory="syslog*")
| parse regex "(?<raw_command>chmod\s+[\w+/\-]+\s+[^\s]+)" nodrop
| parse regex "(?<find_command>find\s+[^|;]+\-perm\s+[^\s]+)" nodrop
| parse regex "uid=(?<uid>\d+)" nodrop
| parse regex "auid=(?<auid>\d+)" nodrop
| parse regex "comm=\"?(?<command>[^\"\s]+)" nodrop
| parse regex "exe=\"?(?<executable>[^\"\s]+)" nodrop
| eval detection_type = if(
    matches(_raw, "(?i)chmod.*(4[0-7]{3}|u\\+s|2[0-7]{3}|g\\+s|6[0-7]{3})"),
    "Chmod_SUID_SGID_Set",
    if(
      matches(_raw, "(?i)find.*\\-perm.*(\\+4000|\\-4000|/4000|\\+2000|\\-2000|setuid|setgid)"),
      "Find_SUID_Discovery",
      if(
        matches(_raw, "(?i)(uid=0|user=root).*((\/tmp|\/var\/tmp|\/dev\/shm|\/home\/)[^ ]+)"),
        "Root_Exec_From_Writable_Path",
        null
      )
    )
  )
| where !isNull(detection_type)
| parse regex "hostname=(?<hostname>[^\s]+)" nodrop
| fields _messageTime, hostname, uid, command, executable, detection_type, _raw
| sort by _messageTime desc

high severity medium confidence

Data Sources

Linux auditd logs Linux syslog Sumo Logic Installed Collector on Linux hosts

Required Tables

Sumo Logic _sourceCategory linux*, auditd*, syslog*

False Positives

Linux package installation scripts (rpm, dpkg) that set SUID bits on binaries such as passwd, ping, or sudo during legitimate software installs
Security scanning tools like Lynis or OpenSCAP running SUID discovery as part of scheduled compliance checks
Container entrypoint scripts executing as root from mounted home directories in development Kubernetes or Docker environments

Google Chronicle / SecOps

yaral

rule t1548_001_setuid_setgid_abuse {
  meta:
    author = "Detection Engineering"
    description = "Detects SUID/SGID bit manipulation via chmod, SUID discovery via find, and suspicious root execution from writable paths on Linux/macOS endpoints. Maps to MITRE ATT&CK T1548.001."
    mitre_attack_tactic = "Privilege Escalation"
    mitre_attack_technique = "T1548.001"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    (
      // Part 1: chmod setting SUID or SGID bits
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and $e.target.process.file.full_path = /\/chmod$/
        and (
          $e.target.process.command_line = /4[0-7]{3}/ nocase or
          $e.target.process.command_line = /u\+s/ nocase or
          $e.target.process.command_line = /\+s/ nocase or
          $e.target.process.command_line = /2[0-7]{3}/ nocase or
          $e.target.process.command_line = /g\+s/ nocase or
          $e.target.process.command_line = /6[0-7]{3}/ nocase
        )
      )
      or
      // Part 2: find discovering SUID/SGID binaries (attacker recon)
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and $e.target.process.file.full_path = /\/find$/
        and $e.target.process.command_line = /-perm/ nocase
        and (
          $e.target.process.command_line = /\+4000/ nocase or
          $e.target.process.command_line = /-4000/ nocase or
          $e.target.process.command_line = /\/4000/ nocase or
          $e.target.process.command_line = /\+2000/ nocase or
          $e.target.process.command_line = /-2000/ nocase or
          $e.target.process.command_line = /setuid/ nocase or
          $e.target.process.command_line = /setgid/ nocase
        )
      )
      or
      // Part 3: root execution from writable non-standard paths
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and $e.principal.user.userid = "root"
        and (
          $e.target.process.file.full_path = /^\/tmp\// or
          $e.target.process.file.full_path = /^\/var\/tmp\// or
          $e.target.process.file.full_path = /^\/dev\/shm\// or
          $e.target.process.file.full_path = /^\/home\//
        )
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM (Unified Data Model) Linux endpoint telemetry forwarded to Chronicle Google Chronicle SIEM with Linux log ingestion

Required Tables

UDM events with event_type PROCESS_LAUNCH

False Positives

DevOps automation pipelines (CI/CD) that set SUID bits on utility binaries during build artifact preparation or container image construction
Authorized red team engagements running find-based SUID enumeration as part of privilege escalation testing on agreed scope
Root-privileged monitoring or backup agents legitimately executing from /home directories where their configuration files reside

CrowdStrike LogScale (CQL)

cql

// T1548.001 - Setuid/Setgid Abuse Detection
// Part 1: chmod setting SUID/SGID bits
#event_simpleName=ProcessRollup2
| ImageFileName = /\/chmod$/
| CommandLine = /(4[0-7]{3}|u\+s|\+s|2[0-7]{3}|g\+s|6[0-7]{3})/i
| eval DetectionType = "Chmod_SUID_SGID_Set"
| table([_timeutc, ComputerName, UserName, CommandLine, ParentBaseFileName, DetectionType])

// Part 2: find discovering SUID/SGID binaries
| union {
    #event_simpleName=ProcessRollup2
    | ImageFileName = /\/find$/
    | CommandLine = /-perm/
    | CommandLine = /(\+4000|\-4000|\/4000|\+2000|\-2000|setuid|setgid)/i
    | eval DetectionType = "Find_SUID_Discovery"
    | table([_timeutc, ComputerName, UserName, CommandLine, ParentBaseFileName, DetectionType])
  }

// Part 3: root execution from writable non-standard paths
| union {
    #event_simpleName=ProcessRollup2
    | UserName = "root"
    | ImageFileName = /^\/(tmp|var\/tmp|dev\/shm|home)\//
    | eval DetectionType = "Root_Exec_From_Writable_Path"
    | table([_timeutc, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType])
  }

| sort(_timeutc, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon sensor (ProcessRollup2 events) Falcon platform with Linux endpoint coverage

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Falcon sensor telemetry from software deployment scripts that legitimately invoke chmod with SUID bits on freshly installed binaries such as ping or mount helpers
Authorized penetration test activities where Falcon sensor is deployed on in-scope Linux hosts being assessed for privilege escalation paths
Root-launched processes from /home directories on developer workstations where IDEs or build tools store executables in user home directories

Setuid and Setgid

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Privilege Escalation

Popular Detections