Detect Setuid and Setgid in IBM QRadar
Adversaries abuse the setuid (SUID) and setgid (SGID) permission bits on Linux and macOS to execute code in another user's context, typically root. When a file with SUID is executed, it runs as the file owner rather than the executing user. Adversaries can set SUID on their malware to enable future privilege escalation, or exploit existing SUID binaries listed on GTFOBins. Keydnap malware added setuid to binaries; Exaramel for Linux used a setuid binary for privilege escalation. The find command is commonly used by attackers to discover exploitable SUID/SGID binaries.
MITRE ATT&CK
- Technique
- T1548 Abuse Elevation Control Mechanism
- Sub-technique
- T1548.001 Setuid and Setgid
- Canonical reference
- https://attack.mitre.org/techniques/T1548/001/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
sourceip,
username,
QIDNAME(qid) AS event_name,
LOGSOURCENAME(logsourceid) AS log_source,
"Command" AS command_line,
CASE
WHEN UTF8(payload) IMATCHES '(?i)chmod.*(4[0-7]{3}|u\+s|2[0-7]{3}|g\+s|6[0-7]{3})'
THEN 'Chmod_SUID_SGID_Set'
WHEN UTF8(payload) IMATCHES '(?i)find.*(\-perm).*(\+4000|\-4000|\/4000|\+2000|\-2000|setuid|setgid)'
THEN 'Find_SUID_Discovery'
WHEN username = 'root' AND UTF8(payload) IMATCHES '(?i)(\/tmp\/|\/var\/tmp\/|\/dev\/shm\/|\/home\/)'
THEN 'Root_Exec_From_Writable_Path'
ELSE 'Unknown'
END AS detection_type
FROM events
WHERE
LOGSOURCETYPEID IN (11, 12, 191, 352)
AND (
UTF8(payload) IMATCHES '(?i)chmod.*(4[0-7]{3}|u\+s|2[0-7]{3}|g\+s|6[0-7]{3})'
OR (
UTF8(payload) IMATCHES '(?i)find.*\-perm'
AND UTF8(payload) IMATCHES '(?i)(\+4000|\-4000|\/4000|\+2000|\-2000|setuid|setgid)'
)
OR (
username = 'root'
AND UTF8(payload) IMATCHES '(?i)(\/tmp|\/var\/tmp|\/dev\/shm|\/home\/)'
AND LOGSOURCETYPEID = 191
)
)
AND devicetime > NOW() - 86400000
ORDER BY devicetime DESC
LAST 24 HOURSQRadar AQL detection for SUID/SGID abuse covering three behavioral patterns: chmod setting privilege bits, find-based SUID discovery reconnaissance, and root process execution from non-standard writable directories. Queries syslog and auditd log sources.
Data Sources
Required Tables
False Positives & Tuning
- Configuration management tools such as Chef or Ansible legitimately setting SUID bits during system hardening or software deployment
- Penetration testers or red team operators running authorized SUID discovery with find as part of privilege escalation enumeration phases
- Root-owned daemon processes legitimately launching helper binaries stored in home directories during development or staging environments
Other platforms for T1548.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Set SUID Bit on a Test Binary
Expected signal: Syslog/auditd: chmod syscall on /tmp/df00tech-suid-test with mode 04xxx. Process creation event for chmod with u+s argument. Sysmon for Linux (if deployed): FileModify event for /tmp/df00tech-suid-test.
- Test 2Discover SUID Binaries on the System
Expected signal: Process creation event for find with -perm /4000 argument. Syslog entry for find execution.
- Test 3Set SGID Bit on Test File
Expected signal: Auditd: chmod syscall with mode=02755 for /tmp/df00tech-sgid-test. Process creation for chmod command.
References (5)
- https://attack.mitre.org/techniques/T1548/001/
- https://gtfobins.github.io/#+suid
- https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
- http://man7.org/linux/man-pages/man2/setuid.2.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md
Unlock Pro Content
Get the full detection package for T1548.001 including response playbook, investigation guide, and atomic red team tests.