diff --git a/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml b/rules/linux/process_creation/proc_creation_lnx_apt_shell_execution.yml similarity index 64% rename from rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml rename to rules/linux/process_creation/proc_creation_lnx_apt_shell_execution.yml index c5f75e71dc0..0628ece1bac 100644 --- a/rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml +++ b/rules/linux/process_creation/proc_creation_lnx_apt_shell_execution.yml @@ -1,12 +1,15 @@ -title: Apt GTFOBin Abuse - Linux +title: Shell Invocation via Apt - Linux id: bb382fd5-b454-47ea-a264-1828e4c766d6 status: test -description: Detects usage of "apt" and "apt-get" as a GTFOBin to execute and proxy command and binary execution +description: | + Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands. + Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. references: - https://gtfobins.github.io/gtfobins/apt/ - https://gtfobins.github.io/gtfobins/apt-get/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-28 +modified: 2024-09-02 tags: - attack.discovery - attack.t1083 diff --git a/rules/linux/process_creation/proc_creation_lnx_awk_shell_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_awk_shell_spawn.yml new file mode 100644 index 00000000000..74b6e875f4c --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_awk_shell_spawn.yml @@ -0,0 +1,38 @@ +title: Suspicious Invocation of Shell via AWK - Linux +id: 8c1a5675-cb85-452f-a298-b01b22a51856 +status: experimental +description: | + Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. + This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation. +references: + - https://gtfobins.github.io/gtfobins/awk/#shell + - https://gtfobins.github.io/gtfobins/gawk/#shell + - https://gtfobins.github.io/gtfobins/nawk/#shell + - https://gtfobins.github.io/gtfobins/mawk/#shell +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-09-02 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: + - '/awk' + - '/gawk' + - '/mawk' + - '/nawk' + CommandLine|contains: 'BEGIN {system' + selection_cli: + CommandLine|contains: + - '/bin/bash' + - '/bin/dash' + - '/bin/fish' + - '/bin/sh' + - '/bin/zsh' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_capsh_shell_invocation.yml b/rules/linux/process_creation/proc_creation_lnx_capsh_shell_invocation.yml new file mode 100644 index 00000000000..7dedb608ea3 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_capsh_shell_invocation.yml @@ -0,0 +1,24 @@ +title: Capsh Shell Invocation - Linux +id: db1ac3be-f606-4e3a-89e0-9607cbe6b98a +status: experimental +description: | + Detects the use of the "capsh" utility to invoke a shell. +references: + - https://gtfobins.github.io/gtfobins/capsh/#shell + - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-09-02 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/capsh' + CommandLine|endswith: ' --' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_env_shell_invocation.yml b/rules/linux/process_creation/proc_creation_lnx_env_shell_invocation.yml new file mode 100644 index 00000000000..655c4682c30 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_env_shell_invocation.yml @@ -0,0 +1,29 @@ +title: Shell Invocation via Env Command - Linux +id: bed978f8-7f3a-432b-82c5-9286a9b3031a +status: experimental +description: | + Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands. +references: + - https://gtfobins.github.io/gtfobins/env/#shell + - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-09-02 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/env' + CommandLine|endswith: + - '/bin/bash' + - '/bin/dash' + - '/bin/fish' + - '/bin/sh' + - '/bin/zsh' + condition: selection +falsepositives: + - Github operations such as ghe-backup +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_find_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_find_shell_execution.yml new file mode 100644 index 00000000000..f6509084122 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_find_shell_execution.yml @@ -0,0 +1,33 @@ +title: Shell Execution via Find - Linux +id: 6adfbf8f-52be-4444-9bac-81b539624146 +status: experimental +description: | + Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt. +references: + - https://gtfobins.github.io/gtfobins/find/#shell + - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-09-02 +tags: + - attack.discovery + - attack.t1083 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/find' + CommandLine|contains|all: + - ' . ' + - '-exec' + selection_cli: + CommandLine|contains: + - '/bin/bash' + - '/bin/dash' + - '/bin/fish' + - '/bin/sh' + - '/bin/zsh' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_flock_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_flock_shell_execution.yml new file mode 100644 index 00000000000..a2a6138b419 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_flock_shell_execution.yml @@ -0,0 +1,31 @@ +title: Shell Execution via Flock - Linux +id: 4b09c71e-4269-4111-9cdd-107d8867f0cc +status: experimental +description: | + Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. +references: + - https://gtfobins.github.io/gtfobins/flock/#shell + - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-09-02 +tags: + - attack.discovery + - attack.t1083 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/flock' + CommandLine|contains: ' -u ' + selection_cli: + CommandLine|contains: + - '/bin/bash' + - '/bin/dash' + - '/bin/fish' + - '/bin/sh' + - '/bin/zsh' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_gcc_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_gcc_shell_execution.yml new file mode 100644 index 00000000000..cc542deaeb8 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_gcc_shell_execution.yml @@ -0,0 +1,36 @@ +title: Shell Execution GCC - Linux +id: 9b5de532-a757-4d70-946c-1f3e44f48b4d +status: experimental +description: | + Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. +references: + - https://gtfobins.github.io/gtfobins/gcc/#shell + - https://gtfobins.github.io/gtfobins/c89/#shell + - https://gtfobins.github.io/gtfobins/c99/#shell + - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-09-02 +tags: + - attack.discovery + - attack.t1083 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: + - '/c89' + - '/c99' + - '/gcc' + CommandLine|contains: '-wrapper' + selection_cli: + CommandLine|contains: + - '/bin/bash,-s' + - '/bin/dash,-s' + - '/bin/fish,-s' + - '/bin/sh,-s' + - '/bin/zsh,-s' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_git_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_git_shell_execution.yml new file mode 100644 index 00000000000..d2d94b54536 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_git_shell_execution.yml @@ -0,0 +1,29 @@ +title: Shell Execution via Git - Linux +id: 47b3bbd4-1bf7-48cc-84ab-995362aaa75a +status: experimental +description: | + Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. +references: + - https://gtfobins.github.io/gtfobins/git/#shell +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-09-02 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: linux +detection: + selection: + ParentImage|endswith: '/git' + ParentCommandLine|contains|all: + - ' -p ' + - 'help' + CommandLine|contains: + - 'bash 0<&1' + - 'dash 0<&1' + - 'sh 0<&1' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_nice_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_nice_shell_execution.yml new file mode 100644 index 00000000000..9ea19c3325b --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_nice_shell_execution.yml @@ -0,0 +1,29 @@ +title: Shell Execution via Nice - Linux +id: 093d68c7-762a-42f4-9f46-95e79142571a +status: experimental +description: | + Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. +references: + - https://gtfobins.github.io/gtfobins/nice/#shell + - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-09-02 +tags: + - attack.discovery + - attack.t1083 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/nice' + CommandLine|endswith: + - '/bin/bash' + - '/bin/dash' + - '/bin/fish' + - '/bin/sh' + - '/bin/zsh' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_python_shell_os_system.yml b/rules/linux/process_creation/proc_creation_lnx_python_shell_os_system.yml new file mode 100644 index 00000000000..23b10f60df9 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_python_shell_os_system.yml @@ -0,0 +1,38 @@ +title: Inline Python Execution - Spawn Shell Via OS System Library +id: 2d2f44ff-4611-4778-a8fc-323a0e9850cc +status: experimental +description: | + Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell. +references: + - https://gtfobins.github.io/gtfobins/python/#shell +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-09-02 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: linux +detection: + selection_img: + - Image|endswith: + - '/python' + - '/python2' + - '/python3' + - Image|contains: + - '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink + - '/python3.' + selection_cli: + CommandLine|contains|all: + - ' -c ' + - 'os.system(' + CommandLine|contains: + - '/bin/bash' + - '/bin/dash' + - '/bin/fish' + - '/bin/sh' + - '/bin/zsh' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml new file mode 100644 index 00000000000..0e68d8e950c --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml @@ -0,0 +1,29 @@ +title: Shell Execution via Rsync - Linux +id: e2326866-609f-4015-aea9-7ec634e8aa04 +status: experimental +description: | + Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. +references: + - https://gtfobins.github.io/gtfobins/rsync/#shell +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-09-02 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/rsync' + CommandLine|contains: ' -e ' + selection_cli: + CommandLine|contains: + - 'sh 0<&2 1>&2' + - 'sh 1>&2 0<&2' + selection_null: + CommandLine|contains: '/dev/null' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_ssh_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_ssh_shell_execution.yml new file mode 100644 index 00000000000..65c95f0fba3 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_ssh_shell_execution.yml @@ -0,0 +1,36 @@ +title: Shell Invocation Via Ssh - Linux +id: 8737b7f6-8df3-4bb7-b1da-06019b99b687 +status: experimental +description: | + Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. +references: + - https://gtfobins.github.io/gtfobins/ssh/ + - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html +author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) +date: 2024-08-29 +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: linux +detection: + selection_img: + Image|endswith: '/ssh' + CommandLine|contains: + - 'ProxyCommand=;' + - 'permitlocalcommand=yes' + - 'localhost' + selection_cli: + CommandLine|contains: + - '/bin/bash' + - '/bin/dash' + - '/bin/fish' + - '/bin/sh' + - '/bin/zsh' + - 'sh 0<&2 1>&2' + - 'sh 1>&2 0<&2' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml b/rules/linux/process_creation/proc_creation_lnx_vim_shell_execution.yml similarity index 77% rename from rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml rename to rules/linux/process_creation/proc_creation_lnx_vim_shell_execution.yml index 0228c228358..8d1e79788d1 100644 --- a/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml +++ b/rules/linux/process_creation/proc_creation_lnx_vim_shell_execution.yml @@ -1,13 +1,16 @@ title: Vim GTFOBin Abuse - Linux id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea status: test -description: Detects usage of "vim" and it's siblings as a GTFOBin to execute and proxy command and binary execution +description: | + Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands. + Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments. references: - https://gtfobins.github.io/gtfobins/vim/ - https://gtfobins.github.io/gtfobins/rvim/ - https://gtfobins.github.io/gtfobins/vimdiff/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-12-28 +modified: 2024-09-02 tags: - attack.discovery - attack.t1083 @@ -17,22 +20,22 @@ logsource: detection: selection_img: Image|endswith: - - '/vim' - '/rvim' + - '/vim' - '/vimdiff' CommandLine|contains: - - ' -c ' - ' --cmd' + - ' -c ' selection_cli: CommandLine|contains: - ':!/' - - ':py ' - ':lua ' - - '/bin/sh' + - ':py ' - '/bin/bash' - '/bin/dash' - - '/bin/zsh' - '/bin/fish' + - '/bin/sh' + - '/bin/zsh' condition: all of selection_* falsepositives: - Unknown