Skip to content

DET0110 Setuid/Setgid Privilege Abuse Detection (Linux/macOS)

Item Value
ID DET0110
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1548.001 (Setuid and Setgid)

Analytics

Linux

AN0307

Correlation of chmod operations setting setuid/setgid bits followed by privileged process execution (EUID != UID), especially from user-writable or abnormal paths.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:SYSCALL chmod, execve
Process Creation (DC0032) auditd:SYSCALL execve
Mutable Elements
Field Description
UserContext Track execution of setuid binaries where UID != EUID or executed from unexpected user context
FilePathScope Restrict detection to non-standard locations (e.g., /tmp, /home/*, /var/tmp)
TimeWindow Time delta between chmod setting setuid/gid and process execution to define a suspicious window

macOS

AN0308

Observation of chmod commands setting setuid/setgid bits, paired with launch of binaries under elevated execution context (e.g., root-owned binaries launched by unprivileged users).

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog chmod command with arguments including ‘+s’, ‘u+s’, or numeric values 4000–6777
Process Metadata (DC0034) macos:unifiedlog exec of binary with setuid/setgid and EUID != UID
Mutable Elements
Field Description
UserContext Monitor execution chains where UID != EUID or child process inherits root without known sudo context
ExecutionPath Focus on binaries in user-writable locations or abnormal directories
ChmodPattern Tailor detection to chmod commands that imply privilege elevation via numeric mode or symbolic mode