Deprecated - CAP_SYS_ADMIN Assigned to Binary

Last updated 21 days ago on 2025-12-24

Created 2 years ago on 2024-01-10

About

Identifies instances where a binary is granted the CAP_SYS_ADMIN capability. In Linux, the CAP_SYS_ADMIN capability is a powerful and broad capability that allows a process to perform a range of system administration operations, such as mounting and unmounting filesystems, configuring network interfaces, and accessing hardware devices. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root. The rule identifies previously unknown processes executing with CAP_SYS_ADMIN capabilities through the use of the new terms rule type.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: PersistenceData Source: Elastic DefendRule Type: BBRLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(external, opens in a new tab or window)

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.*
Related Integrations: endpoint(external, opens in a new tab or window)
Query

✄𐘗text code block:
✄𐘗event.category:"process" and host.os.type:"linux" and event.type:"start" and event.action:"exec" and process.name:* and
(process.thread.capabilities.effective:"CAP_SYS_ADMIN" or process.thread.capabilities.permitted:"CAP_SYS_ADMIN") and
not user.id:"0"

Install detection rules in Elastic Security

Detect Deprecated - CAP_SYS_ADMIN Assigned to Binary in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).