T1548.001 Google Chronicle · YARA-L

Detect Setuid and Setgid in Google Chronicle

Adversaries abuse the setuid (SUID) and setgid (SGID) permission bits on Linux and macOS to execute code in another user's context, typically root. When a file with SUID is executed, it runs as the file owner rather than the executing user. Adversaries can set SUID on their malware to enable future privilege escalation, or exploit existing SUID binaries listed on GTFOBins. Keydnap malware added setuid to binaries; Exaramel for Linux used a setuid binary for privilege escalation. The find command is commonly used by attackers to discover exploitable SUID/SGID binaries.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion
Technique
T1548 Abuse Elevation Control Mechanism
Sub-technique
T1548.001 Setuid and Setgid
Canonical reference
https://attack.mitre.org/techniques/T1548/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1548_001_setuid_setgid_abuse {
  meta:
    author = "Detection Engineering"
    description = "Detects SUID/SGID bit manipulation via chmod, SUID discovery via find, and suspicious root execution from writable paths on Linux/macOS endpoints. Maps to MITRE ATT&CK T1548.001."
    mitre_attack_tactic = "Privilege Escalation"
    mitre_attack_technique = "T1548.001"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    (
      // Part 1: chmod setting SUID or SGID bits
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and $e.target.process.file.full_path = /\/chmod$/
        and (
          $e.target.process.command_line = /4[0-7]{3}/ nocase or
          $e.target.process.command_line = /u\+s/ nocase or
          $e.target.process.command_line = /\+s/ nocase or
          $e.target.process.command_line = /2[0-7]{3}/ nocase or
          $e.target.process.command_line = /g\+s/ nocase or
          $e.target.process.command_line = /6[0-7]{3}/ nocase
        )
      )
      or
      // Part 2: find discovering SUID/SGID binaries (attacker recon)
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and $e.target.process.file.full_path = /\/find$/
        and $e.target.process.command_line = /-perm/ nocase
        and (
          $e.target.process.command_line = /\+4000/ nocase or
          $e.target.process.command_line = /-4000/ nocase or
          $e.target.process.command_line = /\/4000/ nocase or
          $e.target.process.command_line = /\+2000/ nocase or
          $e.target.process.command_line = /-2000/ nocase or
          $e.target.process.command_line = /setuid/ nocase or
          $e.target.process.command_line = /setgid/ nocase
        )
      )
      or
      // Part 3: root execution from writable non-standard paths
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and $e.principal.user.userid = "root"
        and (
          $e.target.process.file.full_path = /^\/tmp\// or
          $e.target.process.file.full_path = /^\/var\/tmp\// or
          $e.target.process.file.full_path = /^\/dev\/shm\// or
          $e.target.process.file.full_path = /^\/home\//
        )
      )
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting SUID/SGID abuse across three behavioral patterns: chmod bit manipulation to grant SUID/SGID, find-based enumeration of SUID binaries as attacker reconnaissance, and suspicious execution of root-owned processes from world-writable directories. Covers T1548.001 privilege escalation setup and abuse phases.

Data Sources

Chronicle UDM (Unified Data Model)Linux endpoint telemetry forwarded to ChronicleGoogle Chronicle SIEM with Linux log ingestion

Required Tables

UDM events with event_type PROCESS_LAUNCH

False Positives & Tuning

  • DevOps automation pipelines (CI/CD) that set SUID bits on utility binaries during build artifact preparation or container image construction
  • Authorized red team engagements running find-based SUID enumeration as part of privilege escalation testing on agreed scope
  • Root-privileged monitoring or backup agents legitimately executing from /home directories where their configuration files reside
Download portable Sigma rule (.yml)

Other platforms for T1548.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Set SUID Bit on a Test Binary

    Expected signal: Syslog/auditd: chmod syscall on /tmp/df00tech-suid-test with mode 04xxx. Process creation event for chmod with u+s argument. Sysmon for Linux (if deployed): FileModify event for /tmp/df00tech-suid-test.

  2. Test 2Discover SUID Binaries on the System

    Expected signal: Process creation event for find with -perm /4000 argument. Syslog entry for find execution.

  3. Test 3Set SGID Bit on Test File

    Expected signal: Auditd: chmod syscall with mode=02755 for /tmp/df00tech-sgid-test. Process creation for chmod command.

Last updated: 2026-04-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1548.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1548Abuse Elevation Control Mechanism

Related Sub-techniques

T1548.002Bypass User Account ControlT1548.003Sudo and Sudo CachingT1548.004Elevated Execution with PromptT1548.005Temporary Elevated Cloud AccessT1548.006TCC Manipulation

Related Techniques

T1548Abuse Elevation Control MechanismT1548.003Sudo and Sudo CachingT1222.002Linux and Mac File and Directory Permissions ModificationT1083File and Directory DiscoveryT1059.004Unix Shell

Same Tactic: Privilege Escalation

Popular Detections