title: Setuid and Setgid (T1548.001)
id: df00tech-t1548-001
status: experimental
description: "Adversaries abuse the setuid (SUID) and setgid (SGID) permission bits on Linux and macOS to execute code in another user's context, typically root. When a file with SUID is executed, it runs as the file owner rather than the executing user. Adversaries can set SUID on their malware to enable future privilege escalation, or exploit existing SUID binaries listed on GTFOBins. Keydnap malware added setuid to binaries; Exaramel for Linux used a setuid binary for privilege escalation. The find command is commonly used by attackers to discover exploitable SUID/SGID binaries."
references:
  - https://attack.mitre.org/techniques/T1548/001/
  - https://df00tech.com/detections/T1548.001
author: df00tech
date: 2026/04/20
tags:
  - attack.t1548.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "System administrators legitimately setting SUID on binaries that require it (e.g., ping, passwd, sudo itself)"
  - "Package manager installations (apt, yum, dnf) that set appropriate SUID bits on system utilities"
  - Security auditors running find commands to enumerate SUID binaries during authorized security assessments
  - Software build systems that set SUID bits on installed binaries as part of the build process
level: high