heroui logo

Process Capability Set via setcap Utility

Elastic Detection Rules

View Source
Summary
This detection rule monitors the use of the `setcap` utility on Linux operating systems to manage capabilities of executables, often misused by attackers for persistence or privilege escalation without requiring root access. The use of `setcap` indicates potential unauthorized modifications that can be leveraged for malicious activities. The rule specifically detects the initiation of processes that utilize `setcap`, while excluding certain legitimate parent processes known to use the utility innocuously, such as those related to package management and containerization. By filtering out benign uses, the detection aims to trigger alerts for potentially malicious activities involving `setcap`, warranting further investigation. The rule is implemented in EQL (Event Query Language) and is a key component of the Elastic Agent's monitoring capabilities within the Elastic Security application, requiring Elastic Defend integration for effective operation. Security teams are guided on using this rule to investigate potential misuse through detailed investigation steps and response actions.
Categories
  • Endpoint
  • Linux
  • Cloud
  • On-Premise
Data Sources
  • Process
  • Container
  • Application Log
  • Sensor Health
Created: 2024-06-03