Recently written or modified suid file has been executed

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1548-abuse-elevation-control-mechanism

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Execute a recently modified Set Owner User ID (SUID) file.

Strategy

This rule identifies whenever a SUID file is executed after it has recently been created or modified. This could be an indication that an attacker is leveraging a privilege escalation vulnerability to execute files as root.

Triage and response

  1. Determine if the SUID file executed is expected on the system.
  2. If this file is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization’s internal processes for investigating and remediating compromised systems.
  3. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.
  4. Find and repair the root cause of the compromise.

Requires Agent version 7.27 or greater