Detect Setuid and Setgid in CrowdStrike LogScale
Adversaries abuse the setuid (SUID) and setgid (SGID) permission bits on Linux and macOS to execute code in another user's context, typically root. When a file with SUID is executed, it runs as the file owner rather than the executing user. Adversaries can set SUID on their malware to enable future privilege escalation, or exploit existing SUID binaries listed on GTFOBins. Keydnap malware added setuid to binaries; Exaramel for Linux used a setuid binary for privilege escalation. The find command is commonly used by attackers to discover exploitable SUID/SGID binaries.
MITRE ATT&CK
- Technique
- T1548 Abuse Elevation Control Mechanism
- Sub-technique
- T1548.001 Setuid and Setgid
- Canonical reference
- https://attack.mitre.org/techniques/T1548/001/
LogScale Detection Query
// T1548.001 - Setuid/Setgid Abuse Detection
// Part 1: chmod setting SUID/SGID bits
#event_simpleName=ProcessRollup2
| ImageFileName = /\/chmod$/
| CommandLine = /(4[0-7]{3}|u\+s|\+s|2[0-7]{3}|g\+s|6[0-7]{3})/i
| eval DetectionType = "Chmod_SUID_SGID_Set"
| table([_timeutc, ComputerName, UserName, CommandLine, ParentBaseFileName, DetectionType])
// Part 2: find discovering SUID/SGID binaries
| union {
#event_simpleName=ProcessRollup2
| ImageFileName = /\/find$/
| CommandLine = /-perm/
| CommandLine = /(\+4000|\-4000|\/4000|\+2000|\-2000|setuid|setgid)/i
| eval DetectionType = "Find_SUID_Discovery"
| table([_timeutc, ComputerName, UserName, CommandLine, ParentBaseFileName, DetectionType])
}
// Part 3: root execution from writable non-standard paths
| union {
#event_simpleName=ProcessRollup2
| UserName = "root"
| ImageFileName = /^\/(tmp|var\/tmp|dev\/shm|home)\//
| eval DetectionType = "Root_Exec_From_Writable_Path"
| table([_timeutc, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType])
}
| sort(_timeutc, order=desc)CrowdStrike LogScale (CQL) detection for T1548.001 Setuid/Setgid abuse using Falcon ProcessRollup2 telemetry. Detects chmod SUID/SGID bit setting, find-based privilege enumeration, and root process execution from writable non-standard directories (/tmp, /dev/shm, /home). Uses union to combine three detection patterns.
Data Sources
Required Tables
False Positives & Tuning
- Falcon sensor telemetry from software deployment scripts that legitimately invoke chmod with SUID bits on freshly installed binaries such as ping or mount helpers
- Authorized penetration test activities where Falcon sensor is deployed on in-scope Linux hosts being assessed for privilege escalation paths
- Root-launched processes from /home directories on developer workstations where IDEs or build tools store executables in user home directories
Other platforms for T1548.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Set SUID Bit on a Test Binary
Expected signal: Syslog/auditd: chmod syscall on /tmp/df00tech-suid-test with mode 04xxx. Process creation event for chmod with u+s argument. Sysmon for Linux (if deployed): FileModify event for /tmp/df00tech-suid-test.
- Test 2Discover SUID Binaries on the System
Expected signal: Process creation event for find with -perm /4000 argument. Syslog entry for find execution.
- Test 3Set SGID Bit on Test File
Expected signal: Auditd: chmod syscall with mode=02755 for /tmp/df00tech-sgid-test. Process creation for chmod command.
References (5)
- https://attack.mitre.org/techniques/T1548/001/
- https://gtfobins.github.io/#+suid
- https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
- http://man7.org/linux/man-pages/man2/setuid.2.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md
Unlock Pro Content
Get the full detection package for T1548.001 including response playbook, investigation guide, and atomic red team tests.