Skip to main content

 

Splunk Lantern

AutoSUID used for privilege escalation

 

AutoSUID is an open-source post-exploitation tool that executes a specific command to look for set user ID (SUID) executable files. SUID is permission given to a file that allows execution of the file as its owner. Attackers can use these files to escalate privileges. You can use this search to identify this hallmark of AutoSUID usage.   

Data required 

Sysmon for Linux

Procedure

  1. Install the Add-on for Linux Sysmon
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="sysmon_linux" CommandLine="find / -xdev -user root ( -perm -4000 -o -perm -2000 -o -perm -6000)"
| stats count BY Computer process process_current_directory process_path

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
sourcetype="sysmon_linux" CommandLine="find / -xdev -user root ( -perm -4000 -o -perm -2000 -o -perm -6000)" Search the sysmon_linux sourcetype for commands that attempt to find the files that set user and group IDs.
| stats count BY Computer process process_current_directory process_path Display results sorted by computer, then the rest of the fields shown.

Next steps

Allowing an unprivileged user to execute a file with elevated privileges, such as root, can be a serious vulnerability under certain circumstances. It is extremely uncommon for a user to perform this type of permission check unless auditing or troubleshooting binary execution, so the execution of this command is an event that should be analyzed further.

You might also be interested in other processes associated with the Detecting usage of popular Linux post-exploitation tools use case.