Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities

Identifies instances where a processes (granted CAP_CHOWN and/or CAP_FOWNER capabilities) is executed, after which the ownership of a suspicious file or binary is changed. In Linux, the CAP_CHOWN capability allows a process to change the owner of a file, while CAP_FOWNER permits it to bypass permission checks on operations that require file ownership (like reading, writing, and executing). Attackers may abuse these capabilities to obtain unauthorized access to files.

Rule type: eql

Rule indices:

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Version: 1

Rule authors:

Rule license: Elastic License v2

sequence by host.id, process.pid with maxspan=1s
  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
   process.name != null and process.thread.capabilities.effective : ("CAP_CHOWN", "CAP_FOWNER") and
   process.command_line : ("*sudoers*", "*passwd*", "*shadow*", "*/root/*") and user.id != "0"]
  [file where event.dataset == "auditd_manager.auditd" and host.os.type == "linux" and
   event.action == "changed-file-ownership-of" and event.type == "change" and event.outcome == "success" and
   file.path in (
     "/etc/passwd",
     "/etc/shadow",
     "/etc/sudoers",
     "/root/.ssh/*"
   ) and user.id != "0"]