UNPKG

aiwg

Version:

Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo

aiwg.io

jmagly/aiwg

73 lines (72 loc) 2.08 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
title: Unauthorized SUID Binary Detected id: 3b8e2f1a-7c5d-4a9b-8e6f-1d2c3a4b5e6f status: stable description: Detects the creation or modification of SUID or SGID binaries that do not belong to any installed package. Unpackaged SUID binaries are a strong indicator of privilege escalation backdoors planted by an attacker. references: - https://attack.mitre.org/techniques/T1548/001/ - https://gtfobins.github.io/ author: forensics-complete date: 2025-11-14 modified: 2025-11-14 tags: - attack.privilege_escalation - attack.t1548.001 - attack.persistence logsource: product: linux category: file_change detection: selection: file_permissions|contains: - 'u+s' - 'g+s' file_path|startswith: - '/tmp/' - '/var/tmp/' - '/dev/shm/' - '/home/' - '/opt/' - '/usr/local/bin/' - '/usr/local/sbin/' filter_package_managed: # Exclude paths that are routinely managed by the package manager file_path|startswith: - '/usr/bin/' - '/usr/sbin/' - '/bin/' - '/sbin/' condition: selection and not filter_package_managed falsepositives: - Custom in-house applications installed outside the package manager - Software installed from source in /usr/local/ with SUID requirement - Container environments where package manager metadata is unavailable level: high fields: - file_path - file_permissions - file_owner - file_md5 - file_sha256 - process_name - timestamp --- # Detection Logic Note # # Verify unpackaged SUID binaries with the following commands: # # # Find all SUID/SGID binaries # find / -perm /6000 -type f 2>/dev/null > /tmp/suid-all.txt # # # Check each against dpkg (Debian/Ubuntu) # while read f; do # dpkg -S "$f" 2>&1 | grep -q "not found" && echo "UNPACKAGED: $f" # done < /tmp/suid-all.txt # # # Check each against rpm (RHEL/CentOS) # while read f; do # rpm -qf "$f" 2>&1 | grep -q "not owned" && echo "UNPACKAGED: $f" # done < /tmp/suid-all.txt # # See rules/red-flag-escalation.md Rule 3 for escalation requirements.