Detects the use of the ‘setcap’ utility to set the ‘setgid’ capability (cap_setgid) on a binary file. This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs
title: Linux Setgid Capability Set on a Binary via Setcap Utility
id: 3a716279-c18c-4488-83be-f9ececbfb9fc
status: experimental
description: |
Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file.
This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group).
This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
references:
- https://man7.org/linux/man-pages/man8/setcap.8.html
- https://dfir.ch/posts/linux_capabilities/
- https://juggernaut-sec.com/capabilities/#cap_setgid
author: Luc Génaux
date: 2026-01-24
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.persistence
- attack.t1548
- attack.t1554
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/setcap'
CommandLine|contains: 'cap_setgid'
condition: selection
falsepositives:
- Unknown
level: low
imProcessCreate
| where TargetProcessName endswith "/setcap" and TargetProcessCommandLine contains "cap_setgid"| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |
Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limi
Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Com