Merge PR #4975 from @Murphy0801 - Add new rules related to GTFOBins

new: Capsh Shell Invocation - Linux new: Inline Python Execution - Spawn Shell Via OS System Library new: Shell Execution GCC - Linux new: Shell Execution via Find - Linux new: Shell Execution via Flock - Linux new: Shell Execution via Git - Linux new: Shell Execution via Nice - Linux new: Shell Execution via Rsync - Linux new: Shell Invocation via Env Command - Linux new: Shell Invocation Via Ssh - Linux new: Suspicious Invocation of Shell via AWK - Linux --------- Co-authored-by: frack113 <[email protected]> Co-authored-by: nasbench <[email protected]>
SigmaHQ · Sep 2, 2024 · 3e2f8d5 · 3e2f8d5
1 parent 839f563
commit 3e2f8d5
Show file tree

Hide file tree

Showing 13 changed files with 366 additions and 8 deletions.
diff --git a/...reation/proc_creation_lnx_gtfobin_apt.yml → ...proc_creation_lnx_apt_shell_execution.yml b/...reation/proc_creation_lnx_gtfobin_apt.yml → ...proc_creation_lnx_apt_shell_execution.yml
@@ -1,12 +1,15 @@
-title: Apt GTFOBin Abuse - Linux
+title: Shell Invocation via Apt - Linux
 id: bb382fd5-b454-47ea-a264-1828e4c766d6
 status: test
-description: Detects usage of "apt" and "apt-get" as a GTFOBin to execute and proxy command and binary execution
+description: |
+    Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands.
+    Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
 references:
     - https://gtfobins.github.io/gtfobins/apt/
     - https://gtfobins.github.io/gtfobins/apt-get/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-12-28
+modified: 2024-09-02
 tags:
     - attack.discovery
     - attack.t1083

diff --git a/rules/linux/process_creation/proc_creation_lnx_awk_shell_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_awk_shell_spawn.yml
@@ -0,0 +1,38 @@
+title: Suspicious Invocation of Shell via AWK - Linux
+id: 8c1a5675-cb85-452f-a298-b01b22a51856
+status: experimental
+description: |
+    Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function.
+    This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
+references:
+    - https://gtfobins.github.io/gtfobins/awk/#shell
+    - https://gtfobins.github.io/gtfobins/gawk/#shell
+    - https://gtfobins.github.io/gtfobins/nawk/#shell
+    - https://gtfobins.github.io/gtfobins/mawk/#shell
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024-09-02
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith:
+            - '/awk'
+            - '/gawk'
+            - '/mawk'
+            - '/nawk'
+        CommandLine|contains: 'BEGIN {system'
+    selection_cli:
+        CommandLine|contains:
+            - '/bin/bash'
+            - '/bin/dash'
+            - '/bin/fish'
+            - '/bin/sh'
+            - '/bin/zsh'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/linux/process_creation/proc_creation_lnx_capsh_shell_invocation.yml b/rules/linux/process_creation/proc_creation_lnx_capsh_shell_invocation.yml
@@ -0,0 +1,24 @@
+title: Capsh Shell Invocation - Linux
+id: db1ac3be-f606-4e3a-89e0-9607cbe6b98a
+status: experimental
+description: |
+    Detects the use of the "capsh" utility to invoke a shell.
+references:
+    - https://gtfobins.github.io/gtfobins/capsh/#shell
+    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024-09-02
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        Image|endswith: '/capsh'
+        CommandLine|endswith: ' --'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/linux/process_creation/proc_creation_lnx_env_shell_invocation.yml b/rules/linux/process_creation/proc_creation_lnx_env_shell_invocation.yml
@@ -0,0 +1,29 @@
+title: Shell Invocation via Env Command - Linux
+id: bed978f8-7f3a-432b-82c5-9286a9b3031a
+status: experimental
+description: |
+    Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
+references:
+    - https://gtfobins.github.io/gtfobins/env/#shell
+    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024-09-02
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        Image|endswith: '/env'
+        CommandLine|endswith:
+            - '/bin/bash'
+            - '/bin/dash'
+            - '/bin/fish'
+            - '/bin/sh'
+            - '/bin/zsh'
+    condition: selection
+falsepositives:
+    - Github operations such as ghe-backup
+level: high
diff --git a/rules/linux/process_creation/proc_creation_lnx_find_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_find_shell_execution.yml
@@ -0,0 +1,33 @@
+title: Shell Execution via Find - Linux
+id: 6adfbf8f-52be-4444-9bac-81b539624146
+status: experimental
+description: |
+    Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
+references:
+    - https://gtfobins.github.io/gtfobins/find/#shell
+    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024-09-02
+tags:
+    - attack.discovery
+    - attack.t1083
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith: '/find'
+        CommandLine|contains|all:
+            - ' . '
+            - '-exec'
+    selection_cli:
+        CommandLine|contains:
+            - '/bin/bash'
+            - '/bin/dash'
+            - '/bin/fish'
+            - '/bin/sh'
+            - '/bin/zsh'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/linux/process_creation/proc_creation_lnx_flock_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_flock_shell_execution.yml
@@ -0,0 +1,31 @@
+title: Shell Execution via Flock - Linux
+id: 4b09c71e-4269-4111-9cdd-107d8867f0cc
+status: experimental
+description: |
+    Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
+references:
+    - https://gtfobins.github.io/gtfobins/flock/#shell
+    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024-09-02
+tags:
+    - attack.discovery
+    - attack.t1083
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith: '/flock'
+        CommandLine|contains: ' -u '
+    selection_cli:
+        CommandLine|contains:
+            - '/bin/bash'
+            - '/bin/dash'
+            - '/bin/fish'
+            - '/bin/sh'
+            - '/bin/zsh'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/linux/process_creation/proc_creation_lnx_gcc_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_gcc_shell_execution.yml
@@ -0,0 +1,36 @@
+title: Shell Execution GCC  - Linux
+id: 9b5de532-a757-4d70-946c-1f3e44f48b4d
+status: experimental
+description: |
+    Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
+references:
+    - https://gtfobins.github.io/gtfobins/gcc/#shell
+    - https://gtfobins.github.io/gtfobins/c89/#shell
+    - https://gtfobins.github.io/gtfobins/c99/#shell
+    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024-09-02
+tags:
+    - attack.discovery
+    - attack.t1083
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith:
+            - '/c89'
+            - '/c99'
+            - '/gcc'
+        CommandLine|contains: '-wrapper'
+    selection_cli:
+        CommandLine|contains:
+            - '/bin/bash,-s'
+            - '/bin/dash,-s'
+            - '/bin/fish,-s'
+            - '/bin/sh,-s'
+            - '/bin/zsh,-s'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/linux/process_creation/proc_creation_lnx_git_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_git_shell_execution.yml
@@ -0,0 +1,29 @@
+title: Shell Execution via Git - Linux
+id: 47b3bbd4-1bf7-48cc-84ab-995362aaa75a
+status: experimental
+description: |
+    Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
+references:
+    - https://gtfobins.github.io/gtfobins/git/#shell
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024-09-02
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        ParentImage|endswith: '/git'
+        ParentCommandLine|contains|all:
+            - ' -p '
+            - 'help'
+        CommandLine|contains:
+            - 'bash 0<&1'
+            - 'dash 0<&1'
+            - 'sh 0<&1'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/linux/process_creation/proc_creation_lnx_nice_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_nice_shell_execution.yml
@@ -0,0 +1,29 @@
+title: Shell Execution via Nice - Linux
+id: 093d68c7-762a-42f4-9f46-95e79142571a
+status: experimental
+description: |
+    Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
+references:
+    - https://gtfobins.github.io/gtfobins/nice/#shell
+    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024-09-02
+tags:
+    - attack.discovery
+    - attack.t1083
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        Image|endswith: '/nice'
+        CommandLine|endswith:
+            - '/bin/bash'
+            - '/bin/dash'
+            - '/bin/fish'
+            - '/bin/sh'
+            - '/bin/zsh'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/linux/process_creation/proc_creation_lnx_python_shell_os_system.yml b/rules/linux/process_creation/proc_creation_lnx_python_shell_os_system.yml
@@ -0,0 +1,38 @@
+title: Inline Python Execution - Spawn Shell Via OS System Library
+id: 2d2f44ff-4611-4778-a8fc-323a0e9850cc
+status: experimental
+description: |
+    Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
+references:
+    - https://gtfobins.github.io/gtfobins/python/#shell
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024-09-02
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        - Image|endswith:
+              - '/python'
+              - '/python2'
+              - '/python3'
+        - Image|contains:
+              - '/python2.'  # python image is always of the form ../python3.10; ../python is just a symlink
+              - '/python3.'
+    selection_cli:
+        CommandLine|contains|all:
+            - ' -c '
+            - 'os.system('
+        CommandLine|contains:
+            - '/bin/bash'
+            - '/bin/dash'
+            - '/bin/fish'
+            - '/bin/sh'
+            - '/bin/zsh'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml
@@ -0,0 +1,29 @@
+title: Shell Execution via Rsync - Linux
+id: e2326866-609f-4015-aea9-7ec634e8aa04
+status: experimental
+description: |
+    Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
+references:
+    - https://gtfobins.github.io/gtfobins/rsync/#shell
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024-09-02
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith: '/rsync'
+        CommandLine|contains: ' -e '
+    selection_cli:
+        CommandLine|contains:
+            - 'sh 0<&2 1>&2'
+            - 'sh 1>&2 0<&2'
+    selection_null:
+        CommandLine|contains: '/dev/null'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/linux/process_creation/proc_creation_lnx_ssh_shell_execution.yml b/rules/linux/process_creation/proc_creation_lnx_ssh_shell_execution.yml
@@ -0,0 +1,36 @@
+title: Shell Invocation Via Ssh - Linux
+id: 8737b7f6-8df3-4bb7-b1da-06019b99b687
+status: experimental
+description: |
+    Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
+references:
+    - https://gtfobins.github.io/gtfobins/ssh/
+    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024-08-29
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith: '/ssh'
+        CommandLine|contains:
+            - 'ProxyCommand=;'
+            - 'permitlocalcommand=yes'
+            - 'localhost'
+    selection_cli:
+        CommandLine|contains:
+            - '/bin/bash'
+            - '/bin/dash'
+            - '/bin/fish'
+            - '/bin/sh'
+            - '/bin/zsh'
+            - 'sh 0<&2 1>&2'
+            - 'sh 1>&2 0<&2'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high