TIARAS - T1166: Setuid and Setgid

MITRE ATT&CK Technique

Privilege Escalation T1166

Description

When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application will run with the privileges of the owning user or group respectively (Citation: setuid man page). Normally an application is run in the current user’s context, regardless of which user or group owns the application. There are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges. Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an "s" instead of an "x" when viewing a file's attributes via <code>ls -l</code>. The <code>chmod</code> program can set these bits with via bitmasking, <code>chmod 4777 [file]</code> or via shorthand naming, <code>chmod u+s [file]</code>. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setsuid or setgid bits to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future (Citation: OSX Keydnap malware).

Supported Platforms

Linux macOS

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2017-12-14T16:46:06.044Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'When the setuid or setgid bits are set on Linux or macOS for '
                'an application, this means that the application will run with '
                'the privileges of the owning user or group respectively  '
                '(Citation: setuid man page). Normally an application is run '
                'in the current user’s context, regardless of which user or '
                'group owns the application. There are instances where '
                'programs need to be executed in an elevated context to '
                'function properly, but the user running them doesn’t need the '
                'elevated privileges. Instead of creating an entry in the '
                'sudoers file, which must be done by root, any user can '
                'specify the setuid or setgid flag to be set for their own '
                'applications. These bits are indicated with an "s" instead of '
                'an "x" when viewing a file\'s attributes via <code>ls '
                '-l</code>. The <code>chmod</code> program can set these bits '
                'with via bitmasking, <code>chmod 4777 [file]</code> or via '
                'shorthand naming, <code>chmod u+s [file]</code>.\n'
                '\n'
                'An adversary can take advantage of this to either do a shell '
                'escape or exploit a vulnerability in an application with the '
                'setsuid or setgid bits to get code running in a different '
                'user’s context. Additionally, adversaries can use this '
                "mechanism on their own malware to make sure they're able to "
                'execute in elevated contexts in the future  (Citation: OSX '
                'Keydnap malware).',
 'external_references': [{'external_id': 'T1166',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1166'},
                         {'description': 'Michael Kerrisk. (2017, September '
                                         "15). Linux Programmer's Manual. "
                                         'Retrieved September 21, 2018.',
                          'source_name': 'setuid man page',
                          'url': 'http://man7.org/linux/man-pages/man2/setuid.2.html'},
                         {'description': 'Marc-Etienne M.Leveille. (2016, July '
                                         '6). New OSX/Keydnap malware is '
                                         'hungry for credentials. Retrieved '
                                         'July 3, 2017.',
                          'source_name': 'OSX Keydnap malware',
                          'url': 'https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/'}],
 'id': 'attack-pattern--c0df6533-30ee-4a4a-9c6d-17af5abdf0b2',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'privilege-escalation'},
                       {'kill_chain_name': 'mitre-attack',
                        'phase_name': 'persistence'}],
 'modified': '2025-10-24T17:49:19.596Z',
 'name': 'Setuid and Setgid',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS'],
 'x_mitre_version': '1.1'}

Quick Actions

Edit TTP Update from Web

Back to TTPs

Dashboard About