1{ 2 "author": [ 3 "Elastic" 4 ], 5 "description": "An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.", 6 "from": "now-9m", 7 "index": [ 8 "auditbeat-*", 9 "logs-endpoint.events.*" 10 ], 11 "language": "lucene", 12 "license": "Elastic License v2", 13 "max_signals": 33, 14 "name": "Setuid / Setgid Bit Set via chmod", 15 "query": "event.category:process AND event.type:(start OR process_started) AND\n process.name:chmod AND process.args:(\"+s\" OR \"u+s\" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/) AND\n NOT process.args:\n (\n /.*\\/Applications\\/VirtualBox.app\\/.+/ OR\n /\\/usr\\/local\\/lib\\/python.+/ OR\n /\\/var\\/folders\\/.+\\/FP.*nstallHelper/ OR\n /\\/Library\\/Filesystems\\/.+/ OR\n /\\/usr\\/lib\\/virtualbox\\/.+/ OR\n /\\/Library\\/Application.*/ OR\n \"/run/postgresql\" OR\n \"/var/crash\" OR\n \"/var/run/postgresql\" OR\n /\\/usr\\/bin\\/.+/ OR /\\/usr\\/local\\/share\\/.+/ OR\n /\\/Applications\\/.+/ OR /\\/usr\\/libexec\\/.+/ OR\n \"/var/metrics\" OR /\\/var\\/lib\\/dpkg\\/.+/ OR\n /\\/run\\/log\\/journal\\/.*/ OR\n \\/Users\\/*\\/.minikube\\/bin\\/docker-machine-driver-hyperkit\n ) AND\n NOT process.parent.executable:\n (\n /\\/var\\/lib\\/docker\\/.+/ OR\n \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\" OR\n \"/var/lib/dpkg/info/whoopsie.postinst\"\n )\n", 16 "risk_score": 21, 17 "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a", 18 "severity": "low", 19 "tags": [ 20 "Elastic", 21 "Host", 22 "Linux", 23 "macOS", 24 "Threat Detection", 25 "Privilege Escalation" 26 ], 27 "threat": [ 28 { 29 "framework": "MITRE ATT&CK", 30 "tactic": { 31 "id": "TA0004", 32 "name": "Privilege Escalation", 33 "reference": "https://attack.mitre.org/tactics/TA0004/" 34 }, 35 "technique": [ 36 { 37 "id": "T1548", 38 "name": "Abuse Elevation Control Mechanism", 39 "reference": "https://attack.mitre.org/techniques/T1548/", 40 "subtechnique": [ 41 { 42 "id": "T1548.001", 43 "name": "Setuid and Setgid", 44 "reference": "https://attack.mitre.org/techniques/T1548/001/" 45 } 46 ] 47 } 48 ] 49 }, 50 { 51 "framework": "MITRE ATT&CK", 52 "tactic": { 53 "id": "TA0003", 54 "name": "Persistence", 55 "reference": "https://attack.mitre.org/tactics/TA0003/" 56 }, 57 "technique": [] 58 } 59 ], 60 "timestamp_override": "event.ingested", 61 "type": "query", 62 "version": 8 63} 64