Potential Privilege Escalation via SUID/SGID on Linux

The SUID (Set User ID) and SGID (Set Group ID) bits are file permission mechanisms in Unix-like operating systems that allow a program to be executed with the privileges of the file’s owner or group, respectively. While intended for legitimate purposes, such as allowing users to perform specific administrative tasks, they can be abused by attackers to escalate privileges. Attackers can exploit misconfigured SUID/SGID binaries to gain elevated access or persistence. This detection focuses on identifying processes running with root privileges (UID/GID 0) but initiated by non-root users, flagging potential misuse of SUID/SGID permissions on Linux systems monitored by Elastic Defend. This can indicate an attacker attempting to exploit a misconfiguration in order to escalate their privileges to root, or establish a backdoor for persistence.

Attack Chain

1. An attacker gains initial access to a Linux system via some vulnerability or compromised credentials.
2. The attacker identifies binaries with SUID/SGID bits set.
3. The attacker executes a vulnerable SUID/SGID binary, such as find or nmap.
4. The binary executes with root privileges, even though the attacker is a non-root user.
5. The attacker leverages the elevated privileges to read sensitive files, modify system configurations, or install malicious software.
6. The attacker escalates privileges to root.
7. The attacker establishes persistence by creating a new SUID/SGID binary or modifying an existing one.

Impact

Successful exploitation of SUID/SGID misconfigurations can lead to complete system compromise, as attackers gain root privileges. Attackers can install malware, steal sensitive data, or disrupt critical services. The impact can range from data breaches to denial-of-service attacks. Given the broad range of binaries potentially affected, this vulnerability can impact various sectors and potentially affect a large number of Linux systems.

Recommendation

• Deploy the provided Sigma rule Privilege Escalation via SUID/SGID to your SIEM to detect potential privilege escalation attempts.
• Enable Elastic Defend integration to ensure the necessary process execution data is available.
• Regularly audit SUID/SGID permissions across your Linux systems and remove unnecessary SUID/SGID bits.
• Investigate any alerts generated by the Sigma rule by checking process.real_user.id and process.real_group.id to determine if non-root users initiated the process.
• Review the process details, including process.name and process.args, to understand the nature of the executed command and its intended function.
• Monitor system logs for suspicious activity around the time of the alert to identify any related actions.