Linux Setgid Capability Set on a Binary via Setcap Utility

Rule Info

Name
Linux Setgid Capability Set on a Binary via Setcap Utility
Author
Luc GĂ©naux
Description
Detects the use of the 'setcap' utility to set the 'setgid' capability (cap_setgid) on a binary file. This capability allows a non privileged process to make arbitrary manipulations of group IDs (GIDs), including setting its current GID to a value that would otherwise be restricted (i.e. GID 0, the root group). This behavior can be used by adversaries to backdoor a binary in order to escalate privileges again in the future if needed.
Reference
https://man7.org/linux/man-pages/man8/setcap.8.html
Date
2026-01-24 00:00:00
Modified
None
Id
3a716279-c18c-4488-83be-f9ececbfb9fc
Tags
attack.privilege-escalation attack.defense-evasion attack.persistence attack.t1548 attack.t1554
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=3a716279-c18c-4488-83be-f9ececbfb9fc

Rule History

Author
Title
Date
Commit
EzLucky
Merge PR #5771 from @EzLucky - Add and Update Setcap Related Rules
2026-01-24
076da1793
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022