Abuse Elevation Control Mechanism: Setuid and Setgid T1548.001
Tactic: Privilege Escalation
An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively. Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
Events covered
2 catalog events are tagged with this technique by at least one rule.
| Provider | Event | Title |
|---|---|---|
| ESF | exec | Process Execution (Notify) |
| Sysmon-for-Linux | Event ID 1 | Process Create |
Authoring guide
Patterns shared across the 28 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (37 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (540 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (188 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 3 rules
Elastic 20 rules
- File Execution Permission Modification Detected via Defend for Containers
- Potential Copy Fail (CVE-2026-31431) Exploitation via AF_ALG Socket
- Potential Privilege Escalation via CVE-2023-4911
- Potential Privilege Escalation via Enlightenment
- Potential Privilege Escalation via Python cap_setuid
- Potential Privilege Escalation via Recently Compiled Executable
- Potential Privilege Escalation via SUID/SGID
- Potential Privilege Escalation via SUID/SGID Proxy Execution
- Potential Root Effective Shell from Non-Standard Path via Auditd
- Privilege Escalation via CAP_SETUID/SETGID Capabilities
- Privilege Escalation via SUID/SGID
- Setcap setuid/setgid Capability Set
- SUID/SGID Bit Set
- SUID/SGUID Enumeration Detected
- Suspicious File Made Executable via Chmod Inside A Container
- Suspicious SUID Binary Execution
- Suspicious SUID Binary Execution (Auditd Sequence)
- System Binary Path File Permission Modification
- UID Elevation from Previously Unknown Executable
- Unusual Pkexec Execution