uber-common/metta

Add setuid and setgid search for Linux privilege escalation

paragonsec opened this issue 7 years ago · 2 comments

paragonsec commented 7 years ago

Below is the yaml file that could be added to add search functionality for setuid and setgid. This could also be ported to Mac.

enabled: true
meta:
author: paragonsec
created: 2018-03-22
decorations:

Purple Team
description: Find setuid and setgid binaries
mitre_link: https://attack.mitre.org/wiki/Technique/T1166
mitre_attack_phase: Privilege Escalation
mitre_attack_technique: File System setguid and setgid binaries
purple_actions:
1: find / -perm -2000 -o -perm -4000 -ls 2>/dev/null
2: find / -perm -2000 2>/dev/null
2: find / -perm -4000 2>/dev/null
os: linux
name: Find setuid and setgid binaries

carnal0wnage commented 7 years ago

thanks i should be able to test this today

carnal0wnage commented 7 years ago

added. Thank you for the submission.