Detectionlowtest

Setuid and Setgid

Detects suspicious change of file privileges with chown and chmod commands

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Ömer GünalCreated Tue Jun 16Updated Wed Oct 05c21c4eaa-ba2e-419a-92b2-8371703cbe21linux

Log Source

LinuxProcess Creation

ProductLinux← raw: linux

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_root:
        CommandLine|contains: 'chown root'
    selection_perm:
        CommandLine|contains:
            - ' chmod u+s'
            - ' chmod g+s'
    condition: all of selection_*

False Positives

Legitimate administration activities

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0003 · Persistence TA0004 · Privilege Escalation

Sub-techniques

T1548.001 · Setuid and Setgid

Rule Metadata

Rule ID

c21c4eaa-ba2e-419a-92b2-8371703cbe21

Status

test

Level

low

Type

Detection

Created

Tue Jun 16

Modified

Wed Oct 05

Author

Ömer Günal

Path

rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml

Raw Tags

attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1548.001

View on GitHub