← Library
splApache-2.0from splunk/security_content

Linux Auditd Setuid Using Chmod Utility

The following analytic detects the execution of the chmod utility to set the SUID or SGID bit on files, which can allow users to temporarily gain root or group-level access. This detection leverages data from Linux Auditd, focusing on process names and command-line arguments related to chmod. This activity is significant as it can indicate an attempt to escalate privileges or maintain persistence on a system. If confirmed malicious, an attacker could gain elevated access, potentially compromising sensitive data or critical system functions.

Quality
27
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_setuid_using_chmod_utility.yml
`linux_auditd`  proctitle IN ("*chmod *")  AND proctitle IN ("* u+s *", "* g+s *", "* 4777 *", "* 4577 *")
  | rename host as dest
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY proctitle dest
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `linux_auditd_setuid_using_chmod_utility_filter`