{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sgid/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","persistence","defense-evasion","suid","sgid"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThe SUID (Set User ID) and SGID (Set Group ID) bits are file permission mechanisms in Unix-like operating systems that allow a program to be executed with the privileges of the file\u0026rsquo;s owner or group, respectively. While intended for legitimate purposes, such as allowing users to perform specific administrative tasks, they can be abused by attackers to escalate privileges. Attackers can exploit misconfigured SUID/SGID binaries to gain elevated access or persistence. This detection focuses on identifying processes running with root privileges (UID/GID 0) but initiated by non-root users, flagging potential misuse of SUID/SGID permissions on Linux systems monitored by Elastic Defend. This can indicate an attacker attempting to exploit a misconfiguration in order to escalate their privileges to root, or establish a backdoor for persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system via some vulnerability or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies binaries with SUID/SGID bits set.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a vulnerable SUID/SGID binary, such as \u003ccode\u003efind\u003c/code\u003e or \u003ccode\u003enmap\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe binary executes with root privileges, even though the attacker is a non-root user.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to read sensitive files, modify system configurations, or install malicious software.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to root.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating a new SUID/SGID binary or modifying an existing one.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of SUID/SGID misconfigurations can lead to complete system compromise, as attackers gain root privileges. Attackers can install malware, steal sensitive data, or disrupt critical services. The impact can range from data breaches to denial-of-service attacks. Given the broad range of binaries potentially affected, this vulnerability can impact various sectors and potentially affect a large number of Linux systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003ePrivilege Escalation via SUID/SGID\u003c/code\u003e to your SIEM to detect potential privilege escalation attempts.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend integration to ensure the necessary process execution data is available.\u003c/li\u003e\n\u003cli\u003eRegularly audit SUID/SGID permissions across your Linux systems and remove unnecessary SUID/SGID bits.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by checking \u003ccode\u003eprocess.real_user.id\u003c/code\u003e and \u003ccode\u003eprocess.real_group.id\u003c/code\u003e to determine if non-root users initiated the process.\u003c/li\u003e\n\u003cli\u003eReview the process details, including \u003ccode\u003eprocess.name\u003c/code\u003e and \u003ccode\u003eprocess.args\u003c/code\u003e, to understand the nature of the executed command and its intended function.\u003c/li\u003e\n\u003cli\u003eMonitor system logs for suspicious activity around the time of the alert to identify any related actions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T12:00:00Z","date_published":"2024-11-02T12:00:00Z","id":"/briefs/2024-11-suid-sgid-privilege-escalation/","summary":"Attackers may leverage misconfigured SUID/SGID permissions on Linux systems to escalate privileges to root or establish persistence by executing processes with root privileges initiated by non-root users.","title":"Potential Privilege Escalation via SUID/SGID on Linux","url":"https://feed.craftedsignal.io/briefs/2024-11-suid-sgid-privilege-escalation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","persistence","suid","sgid"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule, sourced from Elastic, identifies instances where a process executes with root privileges (UID/GID 0) while the real user/group ID is non-zero. This condition suggests that the process has been granted SUID/SGID permissions, potentially allowing it to run with elevated privileges. Attackers may exploit such misconfigurations to escalate their privileges to root or establish persistence mechanisms. The rule focuses on Linux systems and leverages Elastic Defend data to identify such events. The initial publication date of the rule was in June 2024, with updates made as recently as May 2026. This type of misconfiguration can lead to significant security breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user (non-root) executes a binary that has the SUID or SGID bit set.\u003c/li\u003e\n\u003cli\u003eThe system checks the permissions of the executable and identifies the SUID/SGID bit.\u003c/li\u003e\n\u003cli\u003eThe process spawns with the effective UID/GID set to the owner/group of the executable file (typically root).\u003c/li\u003e\n\u003cli\u003eThe process attempts to perform actions that require elevated privileges.\u003c/li\u003e\n\u003cli\u003eIf the SUID/SGID binary is vulnerable, the attacker can leverage it to execute arbitrary commands as root.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to root, gaining full control over the system.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a backdoor for persistent access.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of SUID/SGID misconfigurations can grant an attacker root-level access to a Linux system. This can lead to complete system compromise, including data theft, installation of malware, and the potential for lateral movement to other systems on the network. A single compromised system can be leveraged to attack other internal assets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect potential SUID/SGID exploitation (see the \u003ccode\u003erules\u003c/code\u003e section).\u003c/li\u003e\n\u003cli\u003eReview the SUID/SGID binaries identified by the rule and verify their configurations to ensure they are correctly set and necessary.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for SUID/SGID execution attempts to detect and respond to similar threats in the future (Data Source: Elastic Defend).\u003c/li\u003e\n\u003cli\u003eConsider implementing stricter access controls and reducing the number of SUID/SGID binaries on the system to minimize the attack surface.\u003c/li\u003e\n\u003cli\u003eInvestigate the parent process of the flagged binaries to determine the origin of the execution and whether it aligns with expected behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-suid-sgid-privesc/","summary":"This rule detects potential privilege escalation attempts on Linux systems by identifying processes running with root privileges but initiated by non-root users, indicative of SUID/SGID abuse.","title":"Potential Privilege Escalation via SUID/SGID Abuse on Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-suid-sgid-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Sgid","version":"https://jsonfeed.org/version/1.1"}