Skip to content
Threat Feed
high advisory

Potential Privilege Escalation via SUID/SGID on Linux

This rule detects potential privilege escalation under the root effective user when the real user and parent user are not root, indicative of the execution of binaries with SUID or SGID bits set, often exploited by adversaries to gain elevated access on Linux systems.

Adversaries can exploit misconfigured SUID/SGID binaries to gain elevated privileges on Linux systems. This detection identifies processes running with root privileges but initiated by non-root users, flagging potential misuse of SUID/SGID permissions. The technique is often combined with scripting languages or command execution environments to escalate privileges. This rule specifically targets scenarios where the process user ID is root (0), while the real user ID and parent user ID are not root, indicating the execution of a binary with SUID or SGID bits set by a non-root user. This is particularly relevant for defenders as it can lead to unauthorized access and control over the system.

Attack Chain

  1. A non-root user executes a script (e.g., bash, python, perl).
  2. The script invokes a binary with the SUID or SGID bit set.
  3. The SUID/SGID binary executes with root privileges.
  4. The process’s user ID is now root (0), while the real user ID remains the non-root user’s ID.
  5. The parent process retains the non-root user’s privileges.
  6. The attacker leverages the elevated privileges of the SUID/SGID binary to perform actions requiring root access.
  7. This can involve modifying system files, installing backdoors, or creating new privileged accounts.
  8. The attacker achieves persistence or expands their control over the compromised system.

Impact

Successful exploitation can lead to complete system compromise, allowing attackers to perform any action with root privileges. This can include installing malicious software, modifying system configurations, accessing sensitive data, and creating persistent backdoors. The impact can range from data breaches and service disruptions to complete system takeover.

Recommendation

  • Deploy the Sigma rule Potential Privilege Escalation via SUID/SGID to your SIEM and tune for your environment.
  • Investigate any alerts generated by the Sigma rule, focusing on the parent process and command line arguments.
  • Review SUID/SGID binaries on your systems and ensure they are properly configured and necessary.
  • Monitor process creations for binaries running with root privileges but initiated by non-root users.
  • Implement the provided triage and analysis steps from the rule Potential Privilege Escalation via SUID/SGID to determine if escalation is unauthorized.

Detection coverage 3

Potential Privilege Escalation via SUID/SGID

high

Detects potential privilege escalation under the root effective user when the real user and parent user are not root, indicative of the execution of binaries with SUID or SGID bits set.

sigma tactics: privilege_escalation techniques: T1548, T1548.001 sources: process_creation, linux

Potential SUID/SGID Binary Execution via Scripting Languages

medium

Detects execution of SUID/SGID binaries invoked by scripting languages (python, perl, ruby, lua, php, node, deno, bun, java), indicating potential privilege escalation.

sigma tactics: privilege_escalation techniques: T1548, T1548.001 sources: process_creation, linux

Potential SUID/SGID Execution via Shell with -c Argument

medium

Detects potential privilege escalation via SUID/SGID when executed through a shell with the -c argument.

sigma tactics: privilege_escalation techniques: T1548 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →