1{
2  "author": [
3    "Elastic"
4  ],
5  "description": "An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.",
6  "from": "now-9m",
7  "index": [
8    "auditbeat-*",
9    "logs-endpoint.events.*"
10  ],
11  "language": "lucene",
12  "license": "Elastic License v2",
13  "max_signals": 33,
14  "name": "Setuid / Setgid Bit Set via chmod",
15  "query": "event.category:process AND event.type:(start OR process_started) AND\n process.name:chmod AND process.args:(\"+s\" OR \"u+s\" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/) AND\n NOT process.args:\n           (\n             /.*\\/Applications\\/VirtualBox.app\\/.+/ OR\n             /\\/usr\\/local\\/lib\\/python.+/ OR\n             /\\/var\\/folders\\/.+\\/FP.*nstallHelper/ OR\n             /\\/Library\\/Filesystems\\/.+/ OR\n             /\\/usr\\/lib\\/virtualbox\\/.+/ OR\n             /\\/Library\\/Application.*/ OR\n             \"/run/postgresql\" OR\n             \"/var/crash\" OR\n             \"/var/run/postgresql\" OR\n             /\\/usr\\/bin\\/.+/ OR /\\/usr\\/local\\/share\\/.+/ OR\n             /\\/Applications\\/.+/ OR /\\/usr\\/libexec\\/.+/ OR\n             \"/var/metrics\" OR /\\/var\\/lib\\/dpkg\\/.+/ OR\n             /\\/run\\/log\\/journal\\/.*/ OR\n             \\/Users\\/*\\/.minikube\\/bin\\/docker-machine-driver-hyperkit\n           ) AND\n NOT process.parent.executable:\n           (\n             /\\/var\\/lib\\/docker\\/.+/ OR\n             \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\" OR\n             \"/var/lib/dpkg/info/whoopsie.postinst\"\n           )\n",
16  "risk_score": 21,
17  "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a",
18  "severity": "low",
19  "tags": [
20    "Elastic",
21    "Host",
22    "Linux",
23    "macOS",
24    "Threat Detection",
25    "Privilege Escalation"
26  ],
27  "threat": [
28    {
29      "framework": "MITRE ATT&CK",
30      "tactic": {
31        "id": "TA0004",
32        "name": "Privilege Escalation",
33        "reference": "https://attack.mitre.org/tactics/TA0004/"
34      },
35      "technique": [
36        {
37          "id": "T1548",
38          "name": "Abuse Elevation Control Mechanism",
39          "reference": "https://attack.mitre.org/techniques/T1548/",
40          "subtechnique": [
41            {
42              "id": "T1548.001",
43              "name": "Setuid and Setgid",
44              "reference": "https://attack.mitre.org/techniques/T1548/001/"
45            }
46          ]
47        }
48      ]
49    },
50    {
51      "framework": "MITRE ATT&CK",
52      "tactic": {
53        "id": "TA0003",
54        "name": "Persistence",
55        "reference": "https://attack.mitre.org/tactics/TA0003/"
56      },
57      "technique": []
58    }
59  ],
60  "timestamp_override": "event.ingested",
61  "type": "query",
62  "version": 8
63}
64