DET0110: Setuid/Setgid Privilege Abuse Detection (Linux/macOS)
This detection strategy matters because setuid/setgid abuse can let activity on Linux or macOS run under a different, potentially more privileged, user or...
Analyst context for executives and security teams
This detection strategy matters because setuid/setgid abuse can let activity on Linux or macOS run under a different, potentially more privileged, user or group context. For leaders, the practical issue is not the file permission concept itself; it is whether the organization can prove it knows which privileged binaries exist, when they change, and when they are executed in ways that could support privilege escalation.
Executive priority
Prioritize this where Linux or macOS systems support critical business services, administrator workflows, or regulated workloads. The key decision is whether current monitoring and audit evidence can distinguish expected privileged binary use from risky changes or executions. This supports incident triage, control assurance, and privilege-escalation readiness without assuming any specific threat actor or active exploitation.
Technical view
This strategy is tied to ATT&CK technique T1548.001, Setuid and Setgid, under privilege escalation for Linux and macOS. SOC and IR teams should validate visibility into setuid/setgid file presence, ownership, permission changes, and execution context. Because the supplied detection-strategy object has no official detection text, analytics should be locally defined and tested against known-good administrative and operating-system behavior before alerting broadly.
Likely telemetry
- Linux/macOS file metadata and permission inventory for binaries with setuid or setgid bits
- File ownership and group ownership change records where available
- File creation, modification, and permission-change events on monitored systems
- Process execution telemetry showing executed binary path, user, effective user or group context where available
- Host audit or endpoint security logs from Linux and macOS systems
Detection direction
- Establish a baseline of expected setuid/setgid binaries on Linux and macOS assets, then monitor for new, modified, or unusually located entries.
- Correlate execution of setuid/setgid binaries with user context and host role to reduce noise from legitimate operating-system and administrative activity.
- Tune detections carefully because many setuid/setgid binaries can be legitimate; unmanaged baselines may create high false-positive volume.
- Validate whether telemetry captures effective privilege context, not only the initiating user, because the technique depends on execution under another user or group context.
- Use the relationship to T1548.001 to frame alerts as potential privilege-escalation signals that may require surrounding process, file, and account investigation.
Mitigation priorities
- Inventory Linux and macOS systems for setuid/setgid binaries and define an approved baseline by asset class.
- Review ownership, permissions, and business need for privileged binaries, especially outside expected system paths.
- Ensure change control or configuration monitoring covers permission and ownership changes relevant to setuid/setgid behavior.
- Harden logging and endpoint visibility before relying on alerting, since the official detection-strategy object does not provide detection logic.
- Include setuid/setgid findings in privilege-escalation response playbooks and compliance evidence where Linux/macOS control assurance is required.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy named Setuid/Setgid Privilege Abuse Detection (Linux/macOS) and it detects T1548.001 Setuid and Setgid. The relationship provides the substantive behavior context: applications with setuid or setgid bits may run in the owning user or group context, which can be more privileged than the invoking user.
The detection-strategy object has no official description, no official detection text, and no platforms listed directly on the object. Linux and macOS platform context comes from the related ATT&CK technique only. Local baselines, asset criticality, and available host telemetry are required to determine detection quality and operational priority.
Setuid/Setgid Privilege Abuse Detection (Linux/macOS)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1548.001 | Setuid and Setgid Sub-technique | This object detects Setuid and Setgid. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0f0a463773b3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0110Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.