sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

add: Linux setcap setuid

Open EzLucky opened this issue 5 months ago • 3 comments

Summary of the Pull Request

Add two related Linux rules (process_creation and auditd variations) a Linux rule to detect the use of setcap utility to set the setuid capability (cap_setuid) on a binary file.
This technique can be used to backdoor binaries in order to regain root privileges if lost by the attacker.

Changelog

new: Linux Setuid Capability Set on a Binary via Setcap Utility update: Capabilities Discovery - Linux - remove unneeded windash

Example Log Event

type=EXECVE msg=audit([...]): argc=3 a0="setcap" a1="cap_setuid+ep" a2="/path/to/binary"

Comments

Command line

setcap binary command line can vary depending on flags/parameters used :

  • setcap cap_setuid+ep /path/to/binary
  • setcap -q cap_setuid+ep /path/to/binary
  • setcap cap_setuid=ep /path/to/binary
  • setcap -q cap_setuid=ep /path/to/binary
  • setcap cap_setuid+ep /path/to/binary -whateveryouwant ➡️ cap_setuid is set even if the command returns a fatal error
  • setcap cap_setuid+ep /path/to/binary -r ➡️cap_setuid is set even if the command returns a fatal error, so we can not filter out the '-r' flag (which means "remove capabilities")
  • etc.

False positives

I found here that legitimate software installations/updates could trigger the rule.
But as I could not reproduce it yet (and the false positives may be AI generated), I didn't include it in the falsepositives key.

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

EzLucky avatar Nov 25 '25 14:11 EzLucky

We do not need the auditd version of rules that are targeting process_creation

nasbench avatar Nov 25 '25 15:11 nasbench

Level set to low as the rule is very generic. In a futur PR I will dev a more specific one related to backdoored command interpreter with a higher level

EzLucky avatar Nov 25 '25 15:11 EzLucky

windash removed from "Capabilities Discovery - Linux" as discussed in #5773

EzLucky avatar Nov 25 '25 16:11 EzLucky

@swachchhanda000 @phantinuss looking at setgid linux capabilities, it has almost the same impact as setuid. Would you prefer a second rule dedicated to setgid, so both rules can have their own destiny, or would you include setgid in this rule ?

EzLucky avatar Dec 12 '25 14:12 EzLucky

@swachchhanda000 @phantinuss looking at setgid linux capabilities, it has almost the same impact as setuid. Would you prefer a second rule dedicated to setgid, so both rules can have their own destiny, or would you include setgid in this rule ?

Put it in a separate rule

nasbench avatar Dec 12 '25 17:12 nasbench

@swachchhanda000 @phantinuss looking at setgid linux capabilities, it has almost the same impact as setuid. Would you prefer a second rule dedicated to setgid, so both rules can have their own destiny, or would you include setgid in this rule ?

Put it in a separate rule

New rule related to 'setgid' added in this MR as it is almost the same as the one on 'setuid' : changed "uid" to "gid" and "user" to "group".

EzLucky avatar Dec 14 '25 21:12 EzLucky