T1548.001: Setuid and Setgid
An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.[1] Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. Linux and Mac Permissions). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used.
Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.[2] This abuse is often part of a "shell escape" or other actions to bypass an execution environment with restricted permissions.
Alternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. File and Directory Discovery). The setuid and setguid bits are indicated with an "s" instead of an "x" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.[3]
Analyst context for executives and security teams
Setuid and setgid abuse matters because Linux and macOS systems can intentionally run certain binaries with the privileges of the file owner or group. If these permissions are misapplied or placed on attacker-controlled files, a low-privilege foothold can become a higher-privilege execution path. For leaders, this is a Unix-like endpoint and server hardening issue that affects privilege escalation readiness, audit evidence, and incident containment decisions.
Executive priority
Prioritize this where Linux or macOS systems support critical services, administrative workstations, or sensitive data access. The business question is not just whether setuid/setgid exists, but whether the organization can prove these elevated-permission binaries are expected, monitored for change, and reviewed after incidents. This is especially relevant to OS configuration baselines, vulnerability and misconfiguration management, and SOC visibility on privilege escalation paths.
Technical view
For SOC, detection engineering, and IR teams, validate coverage for Linux and macOS file permission changes and discovery of binaries with setuid or setgid enabled. ATT&CK does not provide official detection text for this object, but the relationship context identifies DET0110, Setuid/Setgid Privilege Abuse Detection, as a detection strategy. Analysts should focus on unexpected creation or modification of elevated-permission binaries, unusual execution of such binaries, and discovery activity that searches for these permissions. Relationship context also ties this sub-technique to Abuse Elevation Control Mechanism and to observed software examples on macOS and Linux, so triage should consider whether privilege escalation occurred after initial access or execution.
Likely telemetry
- File metadata and permission-change events on Linux and macOS systems
- Process execution telemetry for chmod-like permission modification activity and execution of elevated-permission binaries
- File integrity monitoring or configuration management records for approved setuid/setgid binaries
- Endpoint logs showing user, group, file owner, path, hash, and parent process context
- Shell and command-line audit data where available
Detection direction
- Compare current setuid/setgid binaries against a known-good baseline for each Linux and macOS build rather than alerting on every legitimate elevated binary.
- Alert on new or changed setuid/setgid permissions in user-writable, temporary, application, or non-standard paths, with tuning for administrative maintenance windows.
- Correlate permission changes with subsequent execution, privilege context changes, and suspicious discovery of elevated-permission files.
- Review false positives from legitimate installers, package managers, OS updates, and administrative tooling before escalating.
- Use the DET0110 relationship as direction to build or validate a dedicated detection strategy, but do not assume coverage exists without local telemetry confirmation.
Mitigation priorities
- Apply OS configuration hardening through M1028 by maintaining approved baselines for elevated-permission binaries.
- Remove unnecessary setuid/setgid permissions where business function does not require them.
- Restrict write access to directories where executable files may be created or modified, especially paths accessible by non-administrative users.
- Use configuration management or file integrity monitoring to detect drift from approved Linux and macOS permission baselines.
- Include setuid/setgid review in vulnerability management, build validation, and incident response checklists for Unix-like systems.
Analyst notes and limits
This object is a sub-technique of T1548, Abuse Elevation Control Mechanism, and applies to Linux and macOS. The relationship context shows prior ATT&CK technique T1166 was revoked by this object and identifies Keydnap and Exaramel for Linux as software using the behavior. Those relationships support defensive prioritization across macOS and Linux, but they do not by themselves indicate current activity in any local environment.
MITRE provides no official detection text for this technique in the supplied fields. The related detection strategy is named but not described in detail here. Local asset inventory, OS baselines, endpoint telemetry, and administrative change context are required to determine whether a given setuid/setgid finding is malicious, misconfigured, or expected.
Setuid and Setgid
An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively.[1] Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.
Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications (i.e. Linux and Mac Permissions). The chmod command can set these bits with bitmasking, chmod 4777 [file] or via shorthand naming, chmod u+s [file]. This will enable the setuid bit. To enable the setgid bit, chmod 2775 and chmod g+s can be used.
Adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.[2] This abuse is often part of a "shell escape" or other actions to bypass an execution environment with restricted permissions.
Alternatively, adversaries may choose to find and target vulnerable binaries with the setuid or setgid bits already enabled (i.e. File and Directory Discovery). The setuid and setguid bits are indicated with an "s" instead of an "x" when viewing a file's attributes via ls -l. The find command can also be used to search for such files. For example, find / -perm +4000 2>/dev/null can be used to find files with setuid set and find / -perm +2000 2>/dev/null may be used for setgid. Binaries that have these bits set may then be abused by adversaries.[3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1548 | Abuse Elevation Control Mechanism | This object subtechnique of Abuse Elevation Control Mechanism. |
| Enterprise | T1166 | Setuid and Setgid | Setuid and Setgid revoked by this object. |
Groups, software, and campaigns
S0276: Keydnap
This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor [1].
S0401: Exaramel for Linux
Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under Exaramel for Windows.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | e7b064230e1e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
setuid man page
Michael Kerrisk. (2017, September 15). Linux Programmer's Manual. Retrieved September 21, 2018.
Open source URL -
[2]
OSX Keydnap malware
Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware is hungry for credentials. Retrieved July 3, 2017.
Open source URL -
[3]
GTFOBins Suid
Emilio Pinna, Andrea Cardaci. (n.d.). GTFOBins. Retrieved January 28, 2022.
Open source URL -
[4]
mitre-attack T1548.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.