Recently written or modified suid file has been executed


Execute a recently modified Set Owner User ID (SUID) file.


This rule identifies whenever a SUID file is executed after it has recently been created or modified. This could be an indication that an attacker is leveraging a privilege escalation vulnerability to execute files as root.

Triage and response

  1. Determine if the SUID file executed is expected on the system.
  2. If this file is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack), and look for indications of initial compromise. Follow your organization’s internal processes for investigating and remediating compromised systems.
  3. Determine the nature of the attack and network tools involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path and signals from other tools. For example, if a DNS exfiltration attack is suspected, examine DNS traffic and servers if available.
  4. Find and repair the root cause of the compromise.

Requires Agent version 7.27 or greater