https://feed.craftedsignal.io/tags/suid/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 02 Nov 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-11-suid-sgid-privilege-escalation/Sat, 02 Nov 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-11-suid-sgid-privilege-escalation/Attackers may leverage misconfigured SUID/SGID permissions on Linux systems to escalate privileges to root or establish persistence by executing processes with root privileges initiated by non-root users.The SUID (Set User ID) and SGID (Set Group ID) bits are file permission mechanisms in Unix-like operating systems that allow a program to be executed with the privileges of the file’s owner or group, respectively. While intended for legitimate purposes, such as allowing users to perform specific administrative tasks, they can be abused by attackers to escalate privileges. Attackers can exploit misconfigured SUID/SGID binaries to gain elevated access or persistence. This detection focuses on identifying processes running with root privileges (UID/GID 0) but initiated by non-root users, flagging potential misuse of SUID/SGID permissions on Linux systems monitored by Elastic Defend. This can indicate an attacker attempting to exploit a misconfiguration in order to escalate their privileges to root, or establish a backdoor for persistence.

Attack Chain

1. An attacker gains initial access to a Linux system via some vulnerability or compromised credentials.
2. The attacker identifies binaries with SUID/SGID bits set.
3. The attacker executes a vulnerable SUID/SGID binary, such as find or nmap.
4. The binary executes with root privileges, even though the attacker is a non-root user.
5. The attacker leverages the elevated privileges to read sensitive files, modify system configurations, or install malicious software.
6. The attacker escalates privileges to root.
7. The attacker establishes persistence by creating a new SUID/SGID binary or modifying an existing one.

Impact

Successful exploitation of SUID/SGID misconfigurations can lead to complete system compromise, as attackers gain root privileges. Attackers can install malware, steal sensitive data, or disrupt critical services. The impact can range from data breaches to denial-of-service attacks. Given the broad range of binaries potentially affected, this vulnerability can impact various sectors and potentially affect a large number of Linux systems.

Recommendation

• Deploy the provided Sigma rule Privilege Escalation via SUID/SGID to your SIEM to detect potential privilege escalation attempts.
• Enable Elastic Defend integration to ensure the necessary process execution data is available.
• Regularly audit SUID/SGID permissions across your Linux systems and remove unnecessary SUID/SGID bits.
• Investigate any alerts generated by the Sigma rule by checking process.real_user.id and process.real_group.id to determine if non-root users initiated the process.
• Review the process details, including process.name and process.args, to understand the nature of the executed command and its intended function.
• Monitor system logs for suspicious activity around the time of the alert to identify any related actions.

]]>mediumadvisoryprivilege-escalationpersistencedefense-evasionsuidsgidhttps://feed.craftedsignal.io/briefs/2024-01-suid-sgid-privesc/Wed, 24 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-suid-sgid-privesc/This rule detects potential privilege escalation attempts on Linux systems by identifying processes running with root privileges but initiated by non-root users, indicative of SUID/SGID abuse.This detection rule, sourced from Elastic, identifies instances where a process executes with root privileges (UID/GID 0) while the real user/group ID is non-zero. This condition suggests that the process has been granted SUID/SGID permissions, potentially allowing it to run with elevated privileges. Attackers may exploit such misconfigurations to escalate their privileges to root or establish persistence mechanisms. The rule focuses on Linux systems and leverages Elastic Defend data to identify such events. The initial publication date of the rule was in June 2024, with updates made as recently as May 2026. This type of misconfiguration can lead to significant security breaches.

Attack Chain

1. A user (non-root) executes a binary that has the SUID or SGID bit set.
2. The system checks the permissions of the executable and identifies the SUID/SGID bit.
3. The process spawns with the effective UID/GID set to the owner/group of the executable file (typically root).
4. The process attempts to perform actions that require elevated privileges.
5. If the SUID/SGID binary is vulnerable, the attacker can leverage it to execute arbitrary commands as root.
6. The attacker escalates privileges to root, gaining full control over the system.
7. The attacker installs a backdoor for persistent access.
8. The attacker performs malicious activities, such as data exfiltration or system compromise.

Impact

Successful exploitation of SUID/SGID misconfigurations can grant an attacker root-level access to a Linux system. This can lead to complete system compromise, including data theft, installation of malware, and the potential for lateral movement to other systems on the network. A single compromised system can be leveraged to attack other internal assets.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect potential SUID/SGID exploitation (see the rules section).
• Review the SUID/SGID binaries identified by the rule and verify their configurations to ensure they are correctly set and necessary.
• Implement enhanced monitoring and logging for SUID/SGID execution attempts to detect and respond to similar threats in the future (Data Source: Elastic Defend).
• Consider implementing stricter access controls and reducing the number of SUID/SGID binaries on the system to minimize the attack surface.
• Investigate the parent process of the flagged binaries to determine the origin of the execution and whether it aligns with expected behavior.

]]>mediumadvisoryprivilege-escalationpersistencesuidsgidhttps://feed.craftedsignal.io/briefs/2024-01-suspicious-suid-execution/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-suspicious-suid-execution/This rule detects the execution of privilege escalation helpers under the root effective user, when initiated by a non-root user with a suspicious parent process, indicating potential privilege escalation attempts.This detection rule identifies suspicious executions of common privilege elevation tools on Linux systems. It focuses on instances where binaries like su, sudo, pkexec, passwd, chsh, and newgrp are executed with root privileges but are initiated by a non-root user. The rule further refines its focus by analyzing the parent process context, specifically looking for interpreters (Python, Perl, Ruby, etc.), commands executed from user-writable directories (/tmp, /var/tmp, /dev/shm, /home, /run/user), or short shell command invocations. The detection is designed to uncover potential privilege escalation attempts that may be indicative of malicious activity. This is important because attackers frequently use SUID binaries to elevate privileges, and detecting unusual usage patterns can help identify compromised systems or insider threats.

Attack Chain

1. A non-privileged user gains initial access to the system, potentially through compromised credentials or exploiting a vulnerability.
2. The attacker navigates to a user-writable directory such as /tmp or /home/<user>.
3. The attacker crafts a malicious script or uses a one-liner command to invoke a SUID binary.
4. The SUID binary (e.g., sudo, pkexec, su) is executed with minimal arguments.
5. The system executes the command with root privileges due to the SUID bit being set on the binary.
6. The attacker leverages the elevated privileges to modify system files, install malicious software, or create new administrative accounts.
7. The attacker establishes persistence to maintain access to the compromised system.
8. The attacker achieves their final objective, which could include data exfiltration, system disruption, or further lateral movement within the network.

Impact

Successful exploitation of SUID binaries can lead to full system compromise. An attacker can gain complete control over the affected Linux system, potentially leading to data breaches, service disruptions, and the installation of persistent malware. This can affect critical infrastructure and sensitive data, causing significant financial and reputational damage. The severity is amplified when multiple systems are compromised, allowing for lateral movement and further exploitation within the network.

Recommendation

• Enable process creation logging and ensure that process.user.id, process.real_user.id, and process.parent.user.id are being captured to activate the rules below.
• Deploy the “Suspicious SUID Binary Execution” Sigma rule to your SIEM and tune for your environment.
• Review authentication and sudoers policies to identify and remediate any misconfigurations.
• Investigate any alerts generated by the Sigma rules to determine the legitimacy of the SUID binary execution and the parent process context.
• Implement file integrity monitoring on sensitive system binaries and directories, particularly those related to privilege escalation, to detect unauthorized modifications.
• Restrict the use of SUID binaries where possible and enforce strict permissions on those that are necessary.

]]>highadvisoryprivilege-escalationsuidlinux