Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0307: Analytic 0307

Correlation of chmod operations setting setuid/setgid bits followed by privileged process execution (EUID != UID), especially from user-writable or abnormal paths.

EnterpriseAN0307AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because a Linux file permission change that adds setuid or setgid behavior can turn an otherwise ordinary executable into a path for running with elevated privileges. For security leaders, the practical question is whether the organization can see both sides of the sequence: the chmod change and the later process running with a different effective user ID than the launching user.

Executive priority

Prioritize this where Linux systems support critical services, administrative workflows, or regulated workloads. The decision value is control assurance: can SOC and incident response teams prove they collect enough Linux audit/process evidence to distinguish expected privileged execution from suspicious privilege-changing activity, especially in user-writable or abnormal paths?

Technical view

Validate Linux telemetry that correlates chmod operations setting setuid/setgid bits with subsequent process execution where EUID != UID. Because no ATT&CK tactic or relationship context is supplied, treat this as a focused detection analytic rather than a full behavior chain. Detection engineering should emphasize sequence correlation, path context, user context, and whether the executable location is user-writable or unusual for privileged binaries.

Likely telemetry

  • Linux file permission change events, especially chmod activity
  • File metadata showing setuid/setgid bit changes
  • Process execution telemetry including UID and EUID
  • Executable path and parent process context
  • User, group, host, and timestamp context

Detection direction

  • Confirm telemetry captures both permission modification and later execution, not just one event type.
  • Tune for chmod operations that set setuid or setgid bits followed by execution where EUID differs from UID.
  • Prioritize higher-signal cases from user-writable directories or abnormal paths.
  • Baseline legitimate administrative, package management, and system maintenance activity to reduce false positives.
  • Ensure correlation windows are long enough to catch delayed execution but constrained enough to remain actionable.

Mitigation priorities

  • Inventory legitimate setuid/setgid binaries and expected privileged execution paths on Linux systems.
  • Restrict write access to directories where privileged execution would be unsafe.
  • Review administrative processes that create or modify setuid/setgid files.
  • Use least-privilege practices for users and service accounts that can modify executable permissions.
  • Preserve Linux audit and process telemetry needed for incident reconstruction and compliance evidence.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Linux and provides a concise analytic description but no separate official detection text, tactics, or relationship context. Glexia’s interpretation therefore focuses on defensive validation of the described correlation rather than attribution, campaign activity, or broader attack flow.

This take is limited to the official STIX fields, external reference, and absence of supplied relationships. It does not establish prevalence, active exploitation, affected products, or guaranteed detection. Local baselines are required to separate legitimate privileged binaries and administrative chmod activity from suspicious behavior.

Official MITRE ATT&CK definition

Analytic 0307

Correlation of chmod operations setting setuid/setgid bits followed by privileged process execution (EUID != UID), especially from user-writable or abnormal paths.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
17175c4b382a7398...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 17175c4b382a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0307
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use