Potential Privilege Escalation via SUID/SGID

Detects potential privilege escalation under the root effective user when the real user and parent user are not root, indicative of the execution of binaries with SUID or SGID bits set.

Rule type: eql
Rule indices:

• logs-endpoint.events.process*

Rule Severity: high
Risk Score: 73
Runs every:
Searches indices from: now-6m
Maximum alerts per execution: 100
References:

• https://attack.mitre.org/techniques/T1548/

Tags:

• Data Source: Elastic Defend
• Domain: Endpoint
• OS: Linux
• Use Case: Threat Detection
• Tactic: Privilege Escalation
• Resources: Investigation Guide

Version: 1
Rule authors:

• Elastic

Rule license: Elastic License v2

Adversaries exploit misconfigured SUID/SGID binaries to gain elevated access or persistence. This rule identifies processes running with root privileges but initiated by non-root users, flagging potential misuse of SUID/SGID permissions.

• Inspect process.parent.command_line and working directory for obfuscation or one-liners.
• Check authentication and sudoers policy for the user.
• Pivot on the host for additional privilege escalation or persistence in the same session.

• If unauthorized, contain the session, revoke elevated access, and review sudoers and polkit policy for tampering.

process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
  (process.user.id == "0" and process.real_user.id != "0" and process.parent.user.id != "0") or
  (process.group.id == "0" and process.real_group.id != "0" and process.parent.group.id != "0")
) and
(
  startsWith(process.executable, process.command_line) or
  startsWith(process.name, process.command_line)
) and
(
  process.parent.name like (".*", "python*", "perl*", "ruby*", "lua*", "php*", "node", "deno", "bun", "java") or
  process.parent.executable like ("./*", "/tmp/*", "/var/tmp/*", "/dev/shm/*", "/run/user/*", "/var/run/user/*", "/home/*/*") or
  (
    process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "mksh") and
    process.parent.args in ("-c", "-cl", "-lc", "--command", "-ic", "-ci", "-bash", "-sh", "-zsh", "-dash", "-fish", "-ksh", "-mksh") and
    process.parent.args_count <= 4
  )
)
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Privilege Escalation
  • Id: TA0004
  • Reference URL: https://attack.mitre.org/tactics/TA0004/

• Technique:

  • Name: Abuse Elevation Control Mechanism
  • Id: T1548
  • Reference URL: https://attack.mitre.org/techniques/T1548/

• Sub Technique:

  • Name: Setuid and Setgid
  • Id: T1548.001
  • Reference URL: https://attack.mitre.org/techniques/T1548/001/

• Sub Technique:

  • Name: Sudo and Sudo Caching
  • Id: T1548.003
  • Reference URL: https://attack.mitre.org/techniques/T1548/003/