Which SIEM platforms have a T1548.001 detection rule?

df00tech provides T1548.001 (Setuid and Setgid) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Setuid and Setgid (T1548.001)?

Detecting Setuid and Setgid requires the following data sources: Process: Process Creation, File: File Metadata, Microsoft Defender for Endpoint (Linux/macOS).

What severity and confidence is the T1548.001 detection?

The T1548.001 detection is rated high severity with medium confidence.

What are common false positives for T1548.001?

Common false positives for T1548.001 include: System administrators legitimately setting SUID on binaries that require it (e.g., ping, passwd, sudo itself); Package manager installations (apt, yum, dnf) that set appropriate SUID bits on system utilities; Security auditors running find commands to enumerate SUID binaries during authorized security assessments.

T1548.001 Splunk · SPL

Detect Setuid and Setgid in Splunk

Adversaries abuse the setuid (SUID) and setgid (SGID) permission bits on Linux and macOS to execute code in another user's context, typically root. When a file with SUID is executed, it runs as the file owner rather than the executing user. Adversaries can set SUID on their malware to enable future privilege escalation, or exploit existing SUID binaries listed on GTFOBins. Keydnap malware added setuid to binaries; Exaramel for Linux used a setuid binary for privilege escalation. The find command is commonly used by attackers to discover exploitable SUID/SGID binaries.

MITRE ATT&CK

Tactic: Privilege Escalation Defense Evasion
Technique: T1548 Abuse Elevation Control Mechanism
Sub-technique: T1548.001 Setuid and Setgid
Canonical reference: https://attack.mitre.org/techniques/T1548/001/

SPL Detection Query

Splunk (SPL)

spl

index=linux_logs (sourcetype="linux_secure" OR sourcetype="syslog" OR sourcetype="auditd")
| eval detection_type=case(
    sourcetype="auditd" AND match(_raw, "(?i)(chmod|fchmod)") AND
      match(_raw, "(?i)(4[0-7]{3}|u\+s|2[0-7]{3}|g\+s|6[0-7]{3})"),
      "Auditd_Chmod_SUID_SGID",
    sourcetype="syslog" AND match(_raw, "(?i)chmod.*([+]s|4[0-7]{3}|2[0-7]{3})"),
      "Syslog_SUID_Set",
    match(_raw, "(?i)find.*(-perm.*(\+4000|\-4000|/4000|\+2000|\-2000|setuid|setgid))"),
      "Find_SUID_Discovery",
    true(), null()
  )
| where isnotnull(detection_type)
| eval user=coalesce(user, extractSlow("uid=(\\d+)", _raw))
| table _time, host, user, detection_type, _raw
| sort - _time

high severity medium confidence

Detects setuid/setgid abuse via Linux audit logs (auditd) and syslog. Auditd chmod/fchmod syscall events with SUID/SGID bit patterns (4xxx, 2xxx, u+s, g+s) are the primary signal. Syslog chmod entries with +s or numeric SUID patterns are a secondary signal. Find commands searching for -perm with SUID/SGID patterns indicate attacker discovery phase.

Data Sources

Process: Process CreationLinux Auditd: chmod/fchmod syscallsSyslog

Required Sourcetypes

linux_securesyslogauditd

False Positives & Tuning

Package manager post-install scripts setting SUID on system utilities
System administrators setting SUID on authorized binaries
Security audit scripts enumerating SUID files

Download portable Sigma rule (.yml)

Other platforms for T1548.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Set SUID Bit on a Test Binary
Expected signal: Syslog/auditd: chmod syscall on /tmp/df00tech-suid-test with mode 04xxx. Process creation event for chmod with u+s argument. Sysmon for Linux (if deployed): FileModify event for /tmp/df00tech-suid-test.
Test 2Discover SUID Binaries on the System
Expected signal: Process creation event for find with -perm /4000 argument. Syslog entry for find execution.
Test 3Set SGID Bit on Test File
Expected signal: Auditd: chmod syscall with mode=02755 for /tmp/df00tech-sgid-test. Process creation for chmod command.

Last updated: 2026-04-20 Research depth: deep

References (5)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1548.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Setuid and Setgid in Splunk

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1548.001

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Privilege Escalation

Popular Detections

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1548.001

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Privilege Escalation

Popular Detections

Get new detections in your inbox