AN0308: Analytic 0308
Observation of chmod commands setting setuid/setgid bits, paired with launch of binaries under elevated execution context (e.g., root-owned binaries launched by unprivileged users).
Analyst context for executives and security teams
This analytic matters because setuid/setgid permission changes on macOS can turn an ordinary binary into one that runs with another user or group’s privileges. For leaders, the practical question is whether the organization can see risky permission changes and connect them to later elevated execution, rather than only logging one event in isolation.
Executive priority
Prioritize this as a control-validation and incident-readiness item for macOS environments. It helps answer whether SOC and IR teams can identify privilege-related file permission changes before they become persistence, escalation, or misuse concerns. The business value is strongest where macOS systems support privileged administration, developer workflows, regulated data access, or executive endpoints.
Technical view
Validate whether macOS telemetry can correlate chmod activity that sets setuid or setgid bits with subsequent execution of the affected binary, especially where an unprivileged user launches a root-owned or otherwise elevated binary. Because no tactic, related technique, or official detection logic is supplied, teams should treat this as an analytic pattern to test against local endpoint process, file metadata, and execution context data rather than a complete detection rule.
Likely telemetry
- macOS process creation events including command line and user context
- File permission or metadata change events showing chmod activity and setuid/setgid bit changes
- File ownership metadata, especially root-owned binaries
- Binary execution events showing effective user or elevated execution context
- Endpoint security or audit logs capable of linking the permission change to later process launch
Detection direction
- Confirm that chmod command lines are collected with enough detail to identify setuid/setgid bit-setting behavior.
- Correlate permission changes with later execution of the same file instead of alerting only on chmod activity.
- Tune for legitimate administrative, packaging, installer, and developer workflows that may set special permission bits.
- Prioritize cases involving root-owned binaries launched by unprivileged users or unusual file paths for the local macOS baseline.
- Document telemetry gaps where file permission changes or effective execution context are not available.
Mitigation priorities
- Restrict who can modify permissions on sensitive binaries and directories.
- Review administrative workflows that require setuid/setgid and remove unnecessary use where feasible.
- Maintain baselines for expected root-owned privileged binaries on managed macOS systems.
- Use endpoint hardening, least privilege, and change-control processes to limit unauthorized permission modifications.
- Ensure incident response playbooks include review of file ownership, permission bits, and recent execution history for suspected privilege misuse.
Analyst notes and limits
The supplied object is a detection analytic for macOS only. Its official description defines a correlation pattern: chmod setting setuid/setgid bits paired with elevated execution context. No ATT&CK tactic, relationship context, aliases, or official detection implementation was supplied, so the take focuses on validation questions and evidence classes rather than a specific rule.
Coverage depends on local macOS logging depth and whether endpoint tools capture command line, file permission changes, file ownership, and effective execution context. This object does not provide evidence of active exploitation, attribution, impacted sectors, or guaranteed detection fidelity.
Analytic 0308
Observation of chmod commands setting setuid/setgid bits, paired with launch of binaries under elevated execution context (e.g., root-owned binaries launched by unprivileged users).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2630dd80e102… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0308Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.