[metadata]
creation_date = "2020/04/23"
ecs_version = ["1.4.0"]
maturity = "production"
updated_date = "2020/04/23"

[rule]
author = ["Elastic"]
description = """
An adversary may add the setuid bit to a file or directory in order to run a file with the privileges of the owning
user. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application
with the setuid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism
on their own malware to make sure they're able to execute in elevated contexts in the future.
"""
index = ["auditbeat-*"]
language = "lucene"
license = "Elastic License"
max_signals = 33
name = "Setuid Bit Set via chmod"
risk_score = 21
rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
severity = "low"
tags = ["Elastic", "Linux"]
type = "query"

query = '''
event.action:(executed OR process_started) AND process.name:chmod AND process.args:(u+s OR /4[0-9]{3}/) AND NOT user.name:root
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1166"
name = "Setuid and Setgid"
reference = "https://attack.mitre.org/techniques/T1166/"


[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1166"
name = "Setuid and Setgid"
reference = "https://attack.mitre.org/techniques/T1166/"


[rule.threat.tactic]
id = "TA0004"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0004/"