Linux Setuid Capability Set on a Binary via Setcap Utility

Original Source: [Sigma source]
Title: Linux Setuid Capability Set on a Binary via Setcap Utility
Status: experimental
Description:Detects the use of the 'setcap' utility to set the 'setuid' capability (cap_setuid) on a binary file. This capability allows a non privileged process to make arbitrary manipulations of user IDs (UIDs), including setting its current UID to a value that would otherwise be restricted (i.e. UID 0, the root user). This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
References:
  -https://man7.org/linux/man-pages/man8/setcap.8.html
   -https://dfir.ch/posts/linux_capabilities/
   -https://juggernaut-sec.com/capabilities/#cap_setuid
 Author: Luc GĂ©naux
Date: 2026-01-24
modified:None
Tags:
  • -'attack.privilege-escalation'
  • -'attack.defense-evasion'
  • -'attack.persistence'
  • -'attack.t1548'
  • -'attack.t1554'
Logsource:
  • product: linux
  • category: process_creation
Detection:
  selection:
    Image|endswith: '/setcap'
    CommandLine|contains: 'cap_setuid'
  condition:selection
Falsepositives:
  -Unknown
Level: low

© 2024 DetectionCode Website. All Rights Reserved.