-
Notifications
You must be signed in to change notification settings - Fork 1
/
lnx_shell_gtfobins_commands_2.yml
executable file
·39 lines (38 loc) · 1.28 KB
/
lnx_shell_gtfobins_commands_2.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
title: GTFOBins privilege escalation in Linux Shell Commands
description: Detects suspicious shell commands used in GTFOBins privilege escalation methods (see references) - B to E keywords of https://gtfobins.github.io/
references:
- https://gtfobins.github.io/
- https://in.security/using-auditbeat-and-elk-to-monitor-gtfobins-binaries/
author: Aye Hein Zayar
date: 2019/11/10
modified: 2020/06/10
logsource:
product: linux
detection:
keywords:
# GTFOBins suspicious shell commands
- 'cpulimit -l * /bin/sh'
- 'cpulimit -l * /bin/bash'
- 'dmsetup ls --exec * /bin/sh'
- 'exec /bin/sh'
- 'os.execl * /bin/sh'
- 'pty.spawn * /bin/sh'
- 'emacs -Q -nw --eval * /bin/sh'
- 'env /bin/sh'
- 'expect -c * spawn /bin/sh'
# GTFOBins non-interactive reverse shell
- 'bash -c * /dev/tcp/'
- 'cpan * socket'
# GTFOBins file upload
- 'cancel -u'
# GTFOBins file write
- 'csh -c * echo'
# GTFOBins file read
- 'base64 * base64 --decode'
- 'diff --line-format=%L /dev/null'
condition: keywords
falsepositives:
- Administrative Controls
level: low
tags:
- attack.gtfobins_commands_execution