[metadata] creation_date = "2020/04/23" deprecation_date = "2021/03/16" maturity = "deprecated" updated_date = "2021/03/16" [rule] author = ["Elastic"] description = """ An adversary may add the setgid bit to a file or directory in order to run a file with the privileges of the owning group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "lucene" license = "Elastic License" max_signals = 33 name = "Setgid Bit Set via chmod" risk_score = 21 rule_id = "3a86e085-094c-412d-97ff-2439731e59cb" severity = "low" tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"] timestamp_override = "event.ingested" type = "query" query = ''' event.category:process AND event.type:(start or process_started) AND process.name:chmod AND process.args:(g+s OR /2[0-9]{3}/) AND NOT user.name:root ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/"