Closed Aegrah closed 3 months ago
For now these are hardcoded for all /bin, /usr/bin, /sbin/, /usr/sbin paths. Looking to see whether I can leverage the genome project with benign ELF samples to only specify paths that exist in a distribution, which would allow for a more performant query.
Summary
This query lists all GTFOBin SUID binaries, and queries these to find executions where the real.id is not 0, but the id is 0. This indicates non-root executions with root permissions on SUID binaries. It needs some more formatting, but it is actually rather performant. 0 FPs in my own testing stack, 7 flaggable entries (that would be interesting to take a look at) in telemetry last 30d.
SUID privileges granted to GTFOBin
We can also check for SUID permissions being granted to a suspicious binary through a whitelist:
Last year telemetry only 1 hit, which is a TP.