Detect Setuid and Setgid in Elastic Security
Adversaries abuse the setuid (SUID) and setgid (SGID) permission bits on Linux and macOS to execute code in another user's context, typically root. When a file with SUID is executed, it runs as the file owner rather than the executing user. Adversaries can set SUID on their malware to enable future privilege escalation, or exploit existing SUID binaries listed on GTFOBins. Keydnap malware added setuid to binaries; Exaramel for Linux used a setuid binary for privilege escalation. The find command is commonly used by attackers to discover exploitable SUID/SGID binaries.
MITRE ATT&CK
- Technique
- T1548 Abuse Elevation Control Mechanism
- Sub-technique
- T1548.001 Setuid and Setgid
- Canonical reference
- https://attack.mitre.org/techniques/T1548/001/
Elastic Detection Query
sequence by host.name with maxspan=5m
[process where event.type == "start" and
process.name == "chmod" and
process.args : ("4777", "4755", "4711", "u+s", "+s", "2777", "2755", "g+s", "6777", "6755")]
any where
[
process where event.type == "start" and
process.name == "chmod" and
process.args : ("4777", "4755", "4711", "u+s", "+s", "2777", "2755", "g+s", "6777", "6755")
] or
[
process where event.type == "start" and
process.name == "find" and
process.args : ("-perm") and
process.args : ("+4000", "-4000", "/4000", "+2000", "-2000", "/2000", "+6000", "setuid", "setgid")
] or
[
process where event.type == "start" and
user.name == "root" and
process.executable : ("/tmp/*", "/var/tmp/*", "/dev/shm/*", "/home/*")
]Detects SUID/SGID bit manipulation via chmod, attacker reconnaissance using find to discover SUID binaries, and suspicious root process execution from non-standard writable paths on Linux/macOS endpoints. Covers T1548.001 pre-exploitation setup and discovery phases.
Data Sources
Required Tables
False Positives & Tuning
- System administrators legitimately setting SUID on custom tools or internal scripts as part of configuration management (e.g., Ansible, Puppet runs)
- Security teams running SUID discovery scans with find as part of authorized vulnerability assessments or CIS benchmark checks
- Software installers and package managers (apt, yum, pip install) that set SUID bits on installed binaries during installation
Other platforms for T1548.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Set SUID Bit on a Test Binary
Expected signal: Syslog/auditd: chmod syscall on /tmp/df00tech-suid-test with mode 04xxx. Process creation event for chmod with u+s argument. Sysmon for Linux (if deployed): FileModify event for /tmp/df00tech-suid-test.
- Test 2Discover SUID Binaries on the System
Expected signal: Process creation event for find with -perm /4000 argument. Syslog entry for find execution.
- Test 3Set SGID Bit on Test File
Expected signal: Auditd: chmod syscall with mode=02755 for /tmp/df00tech-sgid-test. Process creation for chmod command.
References (5)
- https://attack.mitre.org/techniques/T1548/001/
- https://gtfobins.github.io/#+suid
- https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
- http://man7.org/linux/man-pages/man2/setuid.2.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md
Unlock Pro Content
Get the full detection package for T1548.001 including response playbook, investigation guide, and atomic red team tests.