Correlation of chmod operations setting setuid/setgid bits followed by privileged process execution (EUID != UID), especially from user-writable or abnormal paths.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:SYSCALL | chmod, execve |
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Field | Description |
|---|---|
| UserContext | Track execution of setuid binaries where UID != EUID or executed from unexpected user context |
| FilePathScope | Restrict detection to non-standard locations (e.g., /tmp, /home/*, /var/tmp) |
| TimeWindow | Time delta between chmod setting setuid/gid and process execution to define a suspicious window |
Observation of chmod commands setting setuid/setgid bits, paired with launch of binaries under elevated execution context (e.g., root-owned binaries launched by unprivileged users).
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | macos:unifiedlog | chmod command with arguments including '+s', 'u+s', or numeric values 4000–6777 |
| Process Metadata (DC0034) | macos:unifiedlog | exec of binary with setuid/setgid and EUID != UID |
| Field | Description |
|---|---|
| UserContext | Monitor execution chains where UID != EUID or child process inherits root without known sudo context |
| ExecutionPath | Focus on binaries in user-writable locations or abnormal directories |
| ChmodPattern | Tailor detection to chmod commands that imply privilege elevation via numeric mode or symbolic mode |