-
Notifications
You must be signed in to change notification settings - Fork 1
/
lnx_shell_gtfobins_commands_1.yml
executable file
·38 lines (37 loc) · 1.25 KB
/
lnx_shell_gtfobins_commands_1.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
title: GTFOBins privilege escalation in Linux Shell Commands
description: Detects suspicious shell commands used in GTFOBins privilege escalation methods (see references) - A keyword of https://gtfobins.github.io/
references:
- https://gtfobins.github.io/
- https://in.security/using-auditbeat-and-elk-to-monitor-gtfobins-binaries/
author: Aye Hein Zayar
date: 2019/11/10
modified: 2019/11/10
logsource:
product: linux
detection:
keywords:
# GTFOBins suspicious shell commands
- 'apt-get changelog apt'
- 'Pre-Invoke * /bin/sh'
# GTFOBins non-interactive reverse shell
- 'awk * /inet/tcp/'
- 'cpan ! use Socket:'
- 'pty.spawn("/bin/sh")'
# GTFOBins non-interactive bind shell
- '/inet/tcp/'
# GTFOBins file upload
- '*curl -X POST -d * $URL* | bash '
- 'cpan ! use HTTP::Server::Simple;'
# GTFOBins file download
- 'cpan ! use File::Fetch;'
- 'r.urlretrieve'
# GTFOBins file write
- 'ash -c 'echo DATA >'
# GTFOBins file read
- 'arp -v -f * $'
condition: keywords
falsepositives:
- Administrative Controls
level: low
tags:
- attack.gtfobins_commands_execution