SUID/SGUID Enumeration Detected
editSUID/SGUID Enumeration Detected
editThis rule monitors for the usage of the "find" command in conjunction with SUID and SGUID permission arguments. SUID (Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Discovery
- Tactic: Privilege Escalation
- Data Source: Elastic Defend
Version: 3
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editprocess where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "find" and process.args : "-perm" and process.args : ( "/6000", "-6000", "/4000", "-4000", "/2000", "-2000", "/u=s", "-u=s", "/g=s", "-g=s", "/u=s,g=s", "/g=s,u=s" ) and not ( user.Ext.real.id == "0" or group.Ext.real.id == "0" or process.args_count >= 12 or (process.args : "/usr/bin/pkexec" and process.args : "-xdev" and process.args_count == 7) )
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
-
Technique:
- Name: File and Directory Discovery
- ID: T1083
- Reference URL: https://attack.mitre.org/techniques/T1083/
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Abuse Elevation Control Mechanism
- ID: T1548
- Reference URL: https://attack.mitre.org/techniques/T1548/
-
Sub-technique:
- Name: Setuid and Setgid
- ID: T1548.001
- Reference URL: https://attack.mitre.org/techniques/T1548/001/
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/