AN0976: Analytic 0976
Monitor audit logs for setuid/setgid bit changes, executions where UID ≠ EUID (indicative of sudo or privilege escalation), and high-integrity binaries launched by unprivileged users.
Analyst context for executives and security teams
This analytic is about whether Linux audit data can show privilege-boundary changes: setuid/setgid permission changes, processes running with a different effective user than the real user, and sensitive binaries started by unprivileged users. For leaders, the value is not the analytic name itself; it is whether the organization can prove it would notice suspicious movement toward elevated Linux privileges before it becomes an incident-response or business-continuity problem.
Executive priority
Prioritize this as a Linux resilience and audit-readiness question: do critical Linux systems produce, retain, and review the audit evidence needed to investigate privilege escalation concerns? This matters for SOC readiness, incident decision-making, privileged access governance, and compliance evidence where Linux servers support important business services. Because no ATT&CK relationships or tactic mapping were supplied, treat it as a control-validation opportunity rather than proof of a specific threat campaign or impact scenario.
Technical view
Validate Linux audit coverage for three evidence patterns named by the ATT&CK analytic: setuid/setgid bit changes, process executions where UID does not equal EUID, and high-integrity binaries launched by unprivileged users. SOC and IR teams should confirm the relevant audit logs are collected centrally, normalized with user/process/file context, and retained long enough to support investigations. Detection engineering should tune expected administrative activity separately from unusual privilege-boundary events, especially where sudo, package management, system maintenance, or approved automation may create legitimate UID/EUID differences or permission changes.
Likely telemetry
- Linux audit logs covering file permission and metadata changes
- Process execution records with real UID and effective UID fields
- File path, owner, group, and mode metadata for binaries with setuid or setgid bits
- User identity context for unprivileged users and privileged execution outcomes
- Host identity and asset criticality for Linux systems generating the events
Detection direction
- Confirm audit policy actually records setuid/setgid bit changes on in-scope Linux systems.
- Validate that process telemetry preserves both UID and EUID so UID ≠ EUID conditions can be evaluated reliably.
- Baseline legitimate sudo, service, package-management, and administrative automation activity to reduce false positives.
- Prioritize alerts where unprivileged users launch high-integrity binaries, especially on critical servers.
- Check for blind spots from hosts not enrolled in centralized logging, incomplete audit rules, short retention, or missing user/process normalization.
Mitigation priorities
- Ensure critical Linux systems have audit logging enabled and centrally retained.
- Define and review approved use of setuid/setgid binaries and privileged execution paths.
- Limit privileged access to authorized administrators and service accounts through established identity and access controls.
- Regularly review changes to high-integrity binaries and permission bits as part of system hardening and compliance evidence.
- Document expected administrative workflows so SOC analysts can distinguish normal privilege use from suspicious deviations.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Linux only. It provides a monitoring objective but no formal detection logic, tactic mapping, technique relationship, or related software/group context. Glexia would use this to drive a coverage assessment: can the client collect and investigate Linux privilege-boundary telemetry with enough fidelity to support SOC triage and IR decisions?
This take is limited to the official STIX fields, external reference, and absence of relationships supplied for AN0976. It does not assert active exploitation, attribution, impact, guaranteed detection, or applicability outside Linux. Local audit configuration, asset criticality, identity model, and retention practices are required to determine real coverage.
Analytic 0976
Monitor audit logs for setuid/setgid bit changes, executions where UID ≠ EUID (indicative of sudo or privilege escalation), and high-integrity binaries launched by unprivileged users.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f27e8b47cd38… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0976Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.