security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b2acd800981e1c8d9f747173eb7803f0405cebd6
blue-team-tools/rules/linux/process_creation/proc_creation_lnx_setgid_setuid.yml
T
david-syk 3eaaa050b7 Merge PR #5452 from @david-syk - Update the MITRE ATT&CK tags for multiple rules 
chore: update the MITRE ATT&CK tags for multiple rules
2025-06-04 14:39:25 +02:00

28 lines
799 B
YAML
Raw Blame History

title: Setuid and Setgid
id: c21c4eaa-ba2e-419a-92b2-8371703cbe21
status: test
description: Detects suspicious change of file privileges with chown and chmod commands
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md
author: Ömer Günal
date: 2020-06-16
modified: 2022-10-05
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1548.001
logsource:
product: linux
category: process_creation
detection:
selection_root:
CommandLine|contains: 'chown root'
selection_perm:
CommandLine|contains:
- ' chmod u+s'
- ' chmod g+s'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
level: low
Reference in New Issue View Git Blame Copy Permalink