sigma-rules/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml

[metadata]
creation_date = "2020/04/23"
maturity = "production"
updated_date = "2020/11/03"

[rule]
author = ["Elastic"]
description = """
An adversary may add the setuid bit to a file or directory in order to run a file with the privileges of the owning
user. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application
with the setuid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism
on their own malware to make sure they're able to execute in elevated contexts in the future.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "lucene"
license = "Elastic License"
max_signals = 33
name = "Setuid Bit Set via chmod"
risk_score = 21
rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
type = "query"

query = '''
event.category:process AND event.type:(start or process_started) AND process.name:chmod AND
  process.args:(u+s OR /4[0-9]{3}/) AND
  NOT user.name:root
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1166"
name = "Setuid and Setgid"
reference = "https://attack.mitre.org/techniques/T1166/"


[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1166"
name = "Setuid and Setgid"
reference = "https://attack.mitre.org/techniques/T1166/"


[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"