EXPLORE
Sign In
← Back to Explore
T1548.001

Setuid and Setgid

An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.(Citation: setuid man page) Normally an application is run in the current user’s context, regardless of which user or group owns the application....

LinuxmacOS
21
Detections
3
Sources
0
Threat Actors

BY SOURCE

15elastic5splunk_escu1sigma

PROCEDURES (9)

General Monitoring9 detections

Auto-extracted: 9 detections for general monitoring

Persist3 detections

Auto-extracted: 3 detections for persist

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Authentication Monitoring2 detections

Auto-extracted: 2 detections for authentication monitoring

Container1 detections

Auto-extracted: 1 detections for container

Container1 detections

Auto-extracted: 1 detections for container

Persist1 detections

Auto-extracted: 1 detections for persist

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

DETECTIONS (21)

File Execution Permission Modification Detected via Defend for Containers
elasticlow
Linux Auditd Setuid Using Chmod Utility
splunk_escu
Linux Auditd Setuid Using Setcap Utility
splunk_escu
Linux Common Process For Elevation Control
splunk_escu
Linux Setuid Using Chmod Utility
splunk_escu
Linux Setuid Using Setcap Utility
splunk_escu
Potential Privilege Escalation via CVE-2023-4911
elastichigh
Potential Privilege Escalation via Enlightenment
elastichigh
Potential Privilege Escalation via Python cap_setuid
elastichigh
Potential Privilege Escalation via Recently Compiled Executable
elastichigh
Potential Privilege Escalation via SUID/SGID Proxy Execution
elasticmedium
Privilege Escalation via CAP_SETUID/SETGID Capabilities
elasticmedium
Privilege Escalation via SUID/SGID
elasticmedium
Setcap setuid/setgid Capability Set
elastichigh
Setuid and Setgid
sigmalow
SUID/SGID Bit Set
elasticlow
SUID/SGUID Enumeration Detected
elasticmedium
Suspicious File Made Executable via Chmod Inside A Container
elasticlow
System Binary Path File Permission Modification
elasticlow
UID Elevation from Previously Unknown Executable
elastichigh
Unusual Pkexec Execution
elastichigh