Adversaries may use chown and chmod commands to modify file permissions, potentially escalating privileges by exploiting Setuid or Setgid bits. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential privilege escalation attempts and unauthorized modifications to critical system files.
Detection Rule
title: Setuid and Setgid
id: c21c4eaa-ba2e-419a-92b2-8371703cbe21
status: test
description: Detects suspicious change of file privileges with chown and chmod commands
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md
author: Ömer Günal
date: 2020-06-16
modified: 2022-10-05
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1548.001
logsource:
product: linux
category: process_creation
detection:
selection_root:
CommandLine|contains: 'chown root'
selection_perm:
CommandLine|contains:
- ' chmod u+s'
- ' chmod g+s'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
level: low
imProcessCreate
| where TargetProcessCommandLine contains "chown root" and (TargetProcessCommandLine contains " chmod u+s" or TargetProcessCommandLine contains " chmod g+s")Scenario: System update using apt or yum that changes ownership of system binaries
Filter/Exclusion: Check if the file path matches known system directories like /usr/bin/, /bin/, or /sbin/ using a regex pattern.
Scenario: Scheduled job using cron to rotate logs with logrotate that changes file ownership
Filter/Exclusion: Exclude files in /var/log/ or /var/log/ subdirectories, and filter by process name like logrotate.
Scenario: Admin task using chown to grant access to a shared file system for a development team
Filter/Exclusion: Exclude files in shared directories like /opt/dev_shared/ or /mnt/shared/, and filter by user/group names like dev-team.
Scenario: Configuration management tool like Ansible or Chef applying configuration changes that modify file permissions
Filter/Exclusion: Exclude files in /etc/ or /var/ that are managed by configuration tools, and filter by process names like ansible or chef-client.
Scenario: Database backup script using rsync or tar that changes ownership of backup files
Filter/Exclusion: Exclude files in /backup/ or /var/backups/, and filter by process names like rsync or tar.