Detect Setuid and Setgid in Sumo Logic CSE
Adversaries abuse the setuid (SUID) and setgid (SGID) permission bits on Linux and macOS to execute code in another user's context, typically root. When a file with SUID is executed, it runs as the file owner rather than the executing user. Adversaries can set SUID on their malware to enable future privilege escalation, or exploit existing SUID binaries listed on GTFOBins. Keydnap malware added setuid to binaries; Exaramel for Linux used a setuid binary for privilege escalation. The find command is commonly used by attackers to discover exploitable SUID/SGID binaries.
MITRE ATT&CK
- Technique
- T1548 Abuse Elevation Control Mechanism
- Sub-technique
- T1548.001 Setuid and Setgid
- Canonical reference
- https://attack.mitre.org/techniques/T1548/001/
Sumo Detection Query
(_sourceCategory="linux*" OR _sourceCategory="auditd*" OR _sourceCategory="syslog*")
| parse regex "(?<raw_command>chmod\s+[\w+/\-]+\s+[^\s]+)" nodrop
| parse regex "(?<find_command>find\s+[^|;]+\-perm\s+[^\s]+)" nodrop
| parse regex "uid=(?<uid>\d+)" nodrop
| parse regex "auid=(?<auid>\d+)" nodrop
| parse regex "comm=\"?(?<command>[^\"\s]+)" nodrop
| parse regex "exe=\"?(?<executable>[^\"\s]+)" nodrop
| eval detection_type = if(
matches(_raw, "(?i)chmod.*(4[0-7]{3}|u\\+s|2[0-7]{3}|g\\+s|6[0-7]{3})"),
"Chmod_SUID_SGID_Set",
if(
matches(_raw, "(?i)find.*\\-perm.*(\\+4000|\\-4000|/4000|\\+2000|\\-2000|setuid|setgid)"),
"Find_SUID_Discovery",
if(
matches(_raw, "(?i)(uid=0|user=root).*((\/tmp|\/var\/tmp|\/dev\/shm|\/home\/)[^ ]+)"),
"Root_Exec_From_Writable_Path",
null
)
)
)
| where !isNull(detection_type)
| parse regex "hostname=(?<hostname>[^\s]+)" nodrop
| fields _messageTime, hostname, uid, command, executable, detection_type, _raw
| sort by _messageTime descSumo Logic detection for T1548.001 Setuid/Setgid abuse. Parses Linux auditd and syslog sources to detect chmod privilege bit setting, find-based SUID reconnaissance, and root execution from writable non-standard paths. Uses regex parsing against raw log events.
Data Sources
Required Tables
False Positives & Tuning
- Linux package installation scripts (rpm, dpkg) that set SUID bits on binaries such as passwd, ping, or sudo during legitimate software installs
- Security scanning tools like Lynis or OpenSCAP running SUID discovery as part of scheduled compliance checks
- Container entrypoint scripts executing as root from mounted home directories in development Kubernetes or Docker environments
Other platforms for T1548.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Set SUID Bit on a Test Binary
Expected signal: Syslog/auditd: chmod syscall on /tmp/df00tech-suid-test with mode 04xxx. Process creation event for chmod with u+s argument. Sysmon for Linux (if deployed): FileModify event for /tmp/df00tech-suid-test.
- Test 2Discover SUID Binaries on the System
Expected signal: Process creation event for find with -perm /4000 argument. Syslog entry for find execution.
- Test 3Set SGID Bit on Test File
Expected signal: Auditd: chmod syscall with mode=02755 for /tmp/df00tech-sgid-test. Process creation for chmod command.
References (5)
- https://attack.mitre.org/techniques/T1548/001/
- https://gtfobins.github.io/#+suid
- https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
- http://man7.org/linux/man-pages/man2/setuid.2.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md
Unlock Pro Content
Get the full detection package for T1548.001 including response playbook, investigation guide, and atomic red team tests.