security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
797bcaebfeecfa154c5b912b3cd1d7ba159da505
blue-team-tools/rules/linux/process_creation/proc_creation_lnx_cap_setuid.yml
T
EzLucky 076da17939 Merge PR #5771 from @EzLucky - Add and Update Setcap Related Rules 
new: Linux Setgid Capability Set on a Binary via Setcap Utility
new: Linux Setuid Capability Set on a Binary via Setcap Utility
fix: Capabilities Discovery - Linux - Removed unnecessary windash modifier

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2026-01-24 11:51:42 +01:00

31 lines
1.1 KiB
YAML
Raw Blame History

title: Linux Setuid Capability Set on a Binary via Setcap Utility
id: ed447910-bc30-4575-a598-3a2e49516a7a
status: experimental
description: |
Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file.
This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user).
This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
references:
- https://man7.org/linux/man-pages/man8/setcap.8.html
- https://dfir.ch/posts/linux_capabilities/
- https://juggernaut-sec.com/capabilities/#cap_setuid
author: Luc Génaux
date: 2026-01-24
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.persistence
- attack.t1548
- attack.t1554
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/setcap'
CommandLine|contains: 'cap_setuid'
condition: selection
falsepositives:
- Unknown
level: low
Reference in New Issue View Git Blame Copy Permalink