-
Author: Elastic
-
Description: This hunt identifies SUID binaries on Linux systems using OSQuery. SUID binaries can be exploited by attackers to gain elevated privileges. The hunt includes queries to list all SUID binaries and detailed information about these files, focusing on regular files owned by root with SUID or SGID bits set.
-
UUID:
2db642d2-621a-4183-88b5-b2659dc2c940 -
Integration: endpoint
-
Language:
[SQL] -
Source File: OSQuery SUID Hunting
SELECT * FROM suid_binSELECT
f.filename,
f.path,
f.mode,
f.uid,
f.gid,
f.type,
u.username AS file_owner,
g.groupname AS group_owner,
datetime(f.atime, 'unixepoch') AS file_last_access_time,
datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,
datetime(f.btime, 'unixepoch') AS file_created_time,
f.size AS size_bytes
FROM
file f
LEFT JOIN
users u ON f.uid = u.uid
LEFT JOIN
groups g ON f.gid = g.gid
WHERE
f.type == "regular" AND
(f.uid == 0 or f.gid == 0) AND
(f.mode LIKE "2%" OR f.mode LIKE "4%") AND
(
f.path LIKE "/%%" OR
f.path LIKE "/%%/%%" OR
f.path LIKE "/%%/%%/%%" OR
f.path LIKE "/%%/%%/%%/%%"
)- Identifies SUID binaries using OSQuery to detect potentially exploitable files with SUID or SGID bits set.
- Lists all SUID binaries and provides detailed information about these files, including their paths, owners, and permissions.
- Focuses on regular files owned by root with SUID or SGID bits set to identify potential privilege escalation vectors.
- OSQuery has limited support for wildcard queries, therefore the query includes multiple LIKE conditions for directories. These can be increased and decreased, based on the environment
Elastic License v2