{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/suid/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","persistence","defense-evasion","suid","sgid"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThe SUID (Set User ID) and SGID (Set Group ID) bits are file permission mechanisms in Unix-like operating systems that allow a program to be executed with the privileges of the file\u0026rsquo;s owner or group, respectively. While intended for legitimate purposes, such as allowing users to perform specific administrative tasks, they can be abused by attackers to escalate privileges. Attackers can exploit misconfigured SUID/SGID binaries to gain elevated access or persistence. This detection focuses on identifying processes running with root privileges (UID/GID 0) but initiated by non-root users, flagging potential misuse of SUID/SGID permissions on Linux systems monitored by Elastic Defend. This can indicate an attacker attempting to exploit a misconfiguration in order to escalate their privileges to root, or establish a backdoor for persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system via some vulnerability or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies binaries with SUID/SGID bits set.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a vulnerable SUID/SGID binary, such as \u003ccode\u003efind\u003c/code\u003e or \u003ccode\u003enmap\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe binary executes with root privileges, even though the attacker is a non-root user.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to read sensitive files, modify system configurations, or install malicious software.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to root.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating a new SUID/SGID binary or modifying an existing one.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of SUID/SGID misconfigurations can lead to complete system compromise, as attackers gain root privileges. Attackers can install malware, steal sensitive data, or disrupt critical services. The impact can range from data breaches to denial-of-service attacks. Given the broad range of binaries potentially affected, this vulnerability can impact various sectors and potentially affect a large number of Linux systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003ePrivilege Escalation via SUID/SGID\u003c/code\u003e to your SIEM to detect potential privilege escalation attempts.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend integration to ensure the necessary process execution data is available.\u003c/li\u003e\n\u003cli\u003eRegularly audit SUID/SGID permissions across your Linux systems and remove unnecessary SUID/SGID bits.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by checking \u003ccode\u003eprocess.real_user.id\u003c/code\u003e and \u003ccode\u003eprocess.real_group.id\u003c/code\u003e to determine if non-root users initiated the process.\u003c/li\u003e\n\u003cli\u003eReview the process details, including \u003ccode\u003eprocess.name\u003c/code\u003e and \u003ccode\u003eprocess.args\u003c/code\u003e, to understand the nature of the executed command and its intended function.\u003c/li\u003e\n\u003cli\u003eMonitor system logs for suspicious activity around the time of the alert to identify any related actions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T12:00:00Z","date_published":"2024-11-02T12:00:00Z","id":"/briefs/2024-11-suid-sgid-privilege-escalation/","summary":"Attackers may leverage misconfigured SUID/SGID permissions on Linux systems to escalate privileges to root or establish persistence by executing processes with root privileges initiated by non-root users.","title":"Potential Privilege Escalation via SUID/SGID on Linux","url":"https://feed.craftedsignal.io/briefs/2024-11-suid-sgid-privilege-escalation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","persistence","suid","sgid"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule, sourced from Elastic, identifies instances where a process executes with root privileges (UID/GID 0) while the real user/group ID is non-zero. This condition suggests that the process has been granted SUID/SGID permissions, potentially allowing it to run with elevated privileges. Attackers may exploit such misconfigurations to escalate their privileges to root or establish persistence mechanisms. The rule focuses on Linux systems and leverages Elastic Defend data to identify such events. The initial publication date of the rule was in June 2024, with updates made as recently as May 2026. This type of misconfiguration can lead to significant security breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user (non-root) executes a binary that has the SUID or SGID bit set.\u003c/li\u003e\n\u003cli\u003eThe system checks the permissions of the executable and identifies the SUID/SGID bit.\u003c/li\u003e\n\u003cli\u003eThe process spawns with the effective UID/GID set to the owner/group of the executable file (typically root).\u003c/li\u003e\n\u003cli\u003eThe process attempts to perform actions that require elevated privileges.\u003c/li\u003e\n\u003cli\u003eIf the SUID/SGID binary is vulnerable, the attacker can leverage it to execute arbitrary commands as root.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to root, gaining full control over the system.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a backdoor for persistent access.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of SUID/SGID misconfigurations can grant an attacker root-level access to a Linux system. This can lead to complete system compromise, including data theft, installation of malware, and the potential for lateral movement to other systems on the network. A single compromised system can be leveraged to attack other internal assets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect potential SUID/SGID exploitation (see the \u003ccode\u003erules\u003c/code\u003e section).\u003c/li\u003e\n\u003cli\u003eReview the SUID/SGID binaries identified by the rule and verify their configurations to ensure they are correctly set and necessary.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for SUID/SGID execution attempts to detect and respond to similar threats in the future (Data Source: Elastic Defend).\u003c/li\u003e\n\u003cli\u003eConsider implementing stricter access controls and reducing the number of SUID/SGID binaries on the system to minimize the attack surface.\u003c/li\u003e\n\u003cli\u003eInvestigate the parent process of the flagged binaries to determine the origin of the execution and whether it aligns with expected behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-suid-sgid-privesc/","summary":"This rule detects potential privilege escalation attempts on Linux systems by identifying processes running with root privileges but initiated by non-root users, indicative of SUID/SGID abuse.","title":"Potential Privilege Escalation via SUID/SGID Abuse on Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-suid-sgid-privesc/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","suid","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection rule identifies suspicious executions of common privilege elevation tools on Linux systems. It focuses on instances where binaries like \u003ccode\u003esu\u003c/code\u003e, \u003ccode\u003esudo\u003c/code\u003e, \u003ccode\u003epkexec\u003c/code\u003e, \u003ccode\u003epasswd\u003c/code\u003e, \u003ccode\u003echsh\u003c/code\u003e, and \u003ccode\u003enewgrp\u003c/code\u003e are executed with root privileges but are initiated by a non-root user. The rule further refines its focus by analyzing the parent process context, specifically looking for interpreters (Python, Perl, Ruby, etc.), commands executed from user-writable directories (/tmp, /var/tmp, /dev/shm, /home, /run/user), or short shell command invocations. The detection is designed to uncover potential privilege escalation attempts that may be indicative of malicious activity. This is important because attackers frequently use SUID binaries to elevate privileges, and detecting unusual usage patterns can help identify compromised systems or insider threats.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA non-privileged user gains initial access to the system, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to a user-writable directory such as \u003ccode\u003e/tmp\u003c/code\u003e or \u003ccode\u003e/home/\u0026lt;user\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious script or uses a one-liner command to invoke a SUID binary.\u003c/li\u003e\n\u003cli\u003eThe SUID binary (e.g., \u003ccode\u003esudo\u003c/code\u003e, \u003ccode\u003epkexec\u003c/code\u003e, \u003ccode\u003esu\u003c/code\u003e) is executed with minimal arguments.\u003c/li\u003e\n\u003cli\u003eThe system executes the command with root privileges due to the SUID bit being set on the binary.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to modify system files, install malicious software, or create new administrative accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence to maintain access to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which could include data exfiltration, system disruption, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of SUID binaries can lead to full system compromise. An attacker can gain complete control over the affected Linux system, potentially leading to data breaches, service disruptions, and the installation of persistent malware. This can affect critical infrastructure and sensitive data, causing significant financial and reputational damage. The severity is amplified when multiple systems are compromised, allowing for lateral movement and further exploitation within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging and ensure that \u003ccode\u003eprocess.user.id\u003c/code\u003e, \u003ccode\u003eprocess.real_user.id\u003c/code\u003e, and \u003ccode\u003eprocess.parent.user.id\u003c/code\u003e are being captured to activate the rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Suspicious SUID Binary Execution\u0026rdquo; Sigma rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview authentication and sudoers policies to identify and remediate any misconfigurations.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to determine the legitimacy of the SUID binary execution and the parent process context.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on sensitive system binaries and directories, particularly those related to privilege escalation, to detect unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eRestrict the use of SUID binaries where possible and enforce strict permissions on those that are necessary.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-suspicious-suid-execution/","summary":"This rule detects the execution of privilege escalation helpers under the root effective user, when initiated by a non-root user with a suspicious parent process, indicating potential privilege escalation attempts.","title":"Suspicious SUID Binary Execution on Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-suid-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Suid","version":"https://jsonfeed.org/version/1.1"}