Merge PR #5771 from @EzLucky - Add and Update Setcap Related Rules

new: Linux Setgid Capability Set on a Binary via Setcap Utility
new: Linux Setuid Capability Set on a Binary via Setcap Utility
fix: Capabilities Discovery - Linux - Removed unnecessary windash modifier

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>

rules/linux/process_creation/proc_creation_lnx_cap_setgid.yml

@@ -0,0 +1,30 @@
+title: Linux Setgid Capability Set on a Binary via Setcap Utility
+id: 3a716279-c18c-4488-83be-f9ececbfb9fc
+status: experimental
+description: |
+    Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file.
+    This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group).
+    This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
+references:
+    - https://man7.org/linux/man-pages/man8/setcap.8.html
+    - https://dfir.ch/posts/linux_capabilities/
+    - https://juggernaut-sec.com/capabilities/#cap_setgid
+author: Luc Génaux
+date: 2026-01-24
+tags:
+    - attack.privilege-escalation
+    - attack.defense-evasion
+    - attack.persistence
+    - attack.t1548
+    - attack.t1554
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '/setcap'
+        CommandLine|contains: 'cap_setgid'
+    condition: selection
+falsepositives:
+    - Unknown
+level: low

rules/linux/process_creation/proc_creation_lnx_cap_setuid.yml

@@ -0,0 +1,30 @@
+title: Linux Setuid Capability Set on a Binary via Setcap Utility
+id: ed447910-bc30-4575-a598-3a2e49516a7a
+status: experimental
+description: |
+    Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file.
+    This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user).
+    This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
+references:
+    - https://man7.org/linux/man-pages/man8/setcap.8.html
+    - https://dfir.ch/posts/linux_capabilities/
+    - https://juggernaut-sec.com/capabilities/#cap_setuid
+author: Luc Génaux
+date: 2026-01-24
+tags:
+    - attack.privilege-escalation
+    - attack.defense-evasion
+    - attack.persistence
+    - attack.t1548
+    - attack.t1554
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '/setcap'
+        CommandLine|contains: 'cap_setuid'
+    condition: selection
+falsepositives:
+    - Unknown
+level: low

rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml

@@ -8,7 +8,7 @@ references:
     - https://github.com/diego-treitos/linux-smart-enumeration
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-12-28
-modified: 2024-03-05
+modified: 2026-01-24
 tags:
     - attack.discovery
     - attack.t1083
@@ -18,7 +18,7 @@ logsource:
 detection:
     selection:
         Image|endswith: '/getcap'
-        CommandLine|contains|windash: ' -r '
+        CommandLine|contains: ' -r '
     condition: selection
 falsepositives:
     - Unknown