T1548.001 Microsoft Sentinel · KQL

Detect Setuid and Setgid in Microsoft Sentinel

Adversaries abuse the setuid (SUID) and setgid (SGID) permission bits on Linux and macOS to execute code in another user's context, typically root. When a file with SUID is executed, it runs as the file owner rather than the executing user. Adversaries can set SUID on their malware to enable future privilege escalation, or exploit existing SUID binaries listed on GTFOBins. Keydnap malware added setuid to binaries; Exaramel for Linux used a setuid binary for privilege escalation. The find command is commonly used by attackers to discover exploitable SUID/SGID binaries.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion
Technique
T1548 Abuse Elevation Control Mechanism
Sub-technique
T1548.001 Setuid and Setgid
Canonical reference
https://attack.mitre.org/techniques/T1548/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1548.001 — Setuid/Setgid abuse detection on Linux/macOS endpoints
// Requires Linux or macOS endpoints enrolled in Defender for Endpoint
// Part 1: Detect chmod setting SUID/SGID bits
let ChmodSUID = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("chmod")
| where ProcessCommandLine has_any ("4777", "4755", "4711", "u+s", "+s",
                                    "2777", "2755", "g+s", "6777", "6755")
| extend SetUID = ProcessCommandLine has_any ("4777", "4755", "4711", "u+s")
| extend SetGID = ProcessCommandLine has_any ("2777", "2755", "g+s")
| extend DetectionType = "Chmod_SUID_SGID_Set"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          SetUID, SetGID, DetectionType;
// Part 2: Detect find commands searching for SUID/SGID binaries (attacker recon)
let FindSUID = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "find"
| where ProcessCommandLine has_any ("-perm +4000", "-perm -4000", "-perm /4000",
                                    "-perm +2000", "-perm -2000", "-perm /2000",
                                    "-perm +6000", "setuid", "setgid")
| extend DetectionType = "Find_SUID_SGID_Discovery"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 3: Detect unexpected SUID binaries executing as root from non-standard paths
let SUIDBinaryExec = DeviceProcessEvents
| where Timestamp > ago(24h)
| where AccountName =~ "root"
| where FolderPath has_any ("/tmp/", "/var/tmp/", "/dev/shm/", "/home/")
| extend DetectionType = "Root_Exec_From_User_Path"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, DetectionType;
union ChmodSUID, FindSUID, SUIDBinaryExec
| sort by Timestamp desc
high severity medium confidence

Three-part detection for setuid/setgid abuse on Linux/macOS. Part 1 detects chmod commands setting SUID (4xxx) or SGID (2xxx) bits — direct manipulation of permission bits. Part 2 catches the attacker recon phase where find is used to discover existing SUID/SGID binaries for exploitation (GTFOBins searching). Part 3 flags root-context process execution from user-writable directories (indicates SUID binary in /tmp or home directory).

Data Sources

Process: Process CreationFile: File MetadataMicrosoft Defender for Endpoint (Linux/macOS)

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • System administrators legitimately setting SUID on binaries that require it (e.g., ping, passwd, sudo itself)
  • Package manager installations (apt, yum, dnf) that set appropriate SUID bits on system utilities
  • Security auditors running find commands to enumerate SUID binaries during authorized security assessments
  • Software build systems that set SUID bits on installed binaries as part of the build process
Download portable Sigma rule (.yml)

Other platforms for T1548.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Set SUID Bit on a Test Binary

    Expected signal: Syslog/auditd: chmod syscall on /tmp/df00tech-suid-test with mode 04xxx. Process creation event for chmod with u+s argument. Sysmon for Linux (if deployed): FileModify event for /tmp/df00tech-suid-test.

  2. Test 2Discover SUID Binaries on the System

    Expected signal: Process creation event for find with -perm /4000 argument. Syslog entry for find execution.

  3. Test 3Set SGID Bit on Test File

    Expected signal: Auditd: chmod syscall with mode=02755 for /tmp/df00tech-sgid-test. Process creation for chmod command.

Last updated: 2026-04-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1548.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1548Abuse Elevation Control Mechanism

Related Sub-techniques

T1548.002Bypass User Account ControlT1548.003Sudo and Sudo CachingT1548.004Elevated Execution with PromptT1548.005Temporary Elevated Cloud AccessT1548.006TCC Manipulation

Related Techniques

T1548Abuse Elevation Control MechanismT1548.003Sudo and Sudo CachingT1222.002Linux and Mac File and Directory Permissions ModificationT1083File and Directory DiscoveryT1059.004Unix Shell

Same Tactic: Privilege Escalation

Popular Detections