Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities
editPrivilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities
editIdentifies instances where a processes (granted CAP_CHOWN and/or CAP_FOWNER capabilities) is executed, after which the ownership of a suspicious file or binary is changed. In Linux, the CAP_CHOWN capability allows a process to change the owner of a file, while CAP_FOWNER permits it to bypass permission checks on operations that require file ownership (like reading, writing, and executing). Attackers may abuse these capabilities to obtain unauthorized access to files.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
- auditbeat-*
- logs-auditd_manager.auditd-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Privilege Escalation
- Data Source: Elastic Defend
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editsequence by host.id, process.pid with maxspan=1s [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name != null and process.thread.capabilities.effective : ("CAP_CHOWN", "CAP_FOWNER") and process.command_line : ("*sudoers*", "*passwd*", "*shadow*", "*/root/*") and user.id != "0"] [file where event.dataset == "auditd_manager.auditd" and host.os.type == "linux" and event.action == "changed-file-ownership-of" and event.type == "change" and event.outcome == "success" and file.path in ( "/etc/passwd", "/etc/shadow", "/etc/sudoers", "/root/.ssh/*" ) and user.id != "0"]
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Exploitation for Privilege Escalation
- ID: T1068
- Reference URL: https://attack.mitre.org/techniques/T1068/