-
Notifications
You must be signed in to change notification settings - Fork 1
/
lnx_shell_gtfobins_commands_3.yml
53 lines (53 loc) · 1.72 KB
/
lnx_shell_gtfobins_commands_3.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
title: GTFOBins privilege escalation in Linux Shell Commands
description: Detects suspicious shell commands used in GTFOBins privilege escalation methods (see references) - E keyword v2 of https://gtfobins.github.io/
references:
- https://gtfobins.github.io/
- https://in.security/using-auditbeat-and-elk-to-monitor-gtfobins-binaries/
author: Aye Hein Zayar
date: 2020/03/19
modified: 2020/06/10
logsource:
product: linux
detection:
keywords:
# GTFOBins suspicious shell commands - e commands
- 'eb logs'
- 'emacs -Q -nw --eval * /bin/sh'
- 'env /bin/sh'
- 'expect -c * spawn /bin/sh'
- 'expect -c * spawn /bin/sh;interact'
# GTFOBins non-interactive reverse shell
- 'bash -c * /dev/tcp/'
- 'cpan * socket'
# GTFOBins file download
- 'echo * import OS; os.execl'
# GTFOBins file upload
- 'cancel -u'
# GTFOBins file write
- 'csh -c * echo'
# GTFOBins file read
- 'base64 * base64 --decode'
- 'diff --line-format=%L /dev/null'
# GTFOBins Library Load
- 'echo * from ctypes import cdll * cdll.LoadLibrary * lib.so'
# GTFOBins Sudo
- 'sudo easy_install'
- 'sudo eb logs'
- 'sudo ed'
- 'sudo env /bin/sh'
- 'sudo eqn'
- 'sudo expand'
- 'sudo expect -c * spawn /bin/sh;interact'
# GTFOBins limited SUID
- 'sudo sh -c * cp $(which ed) * chmod +s ./ed'
# GTFOBIns SUID
- 'sudo sh -c * cp $(which env) * chmod +s ./env'
- 'sudo sh -c * cp $(which eqn) * chmod +s ./eqn'
- 'sudo sh -c * cp $(which expand) * chmod +s ./expand'
- 'sudo sh -c * cp $(which expect) * chmod +s ./expect'
condition: keywords
falsepositives:
- Administrative Controls
level: low
tags:
- attack.gtfobins_commands_execution