Linux Restricted Shell Breakout via apt/apt-get Changelog Escape

 1[metadata]
 2creation_date = "2022/02/24"
 3deprecation_date = "2022/05/09"
 4maturity = "deprecated"
 5updated_date = "2022/05/09"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies Linux binary apt/apt-get abuse to breakout out of restricted shells or environments by spawning an
11interactive system shell. The apt utility allows us to manage installation and removal of softwares on Debian based
12Linux distributions and the activity of spawning shell is not a standard use of this binary for a user or system
13administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their
14access.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Linux Restricted Shell Breakout via  apt/apt-get Changelog Escape"
21references = ["https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/"]
22risk_score = 47
23rule_id = "8fed8450-847e-43bd-874c-3bbf0cd425f3"
24severity = "medium"
25tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"]
26timestamp_override = "event.ingested"
27type = "eql"
28
29query = '''
30process where event.type == "start" and process.name == "sensible-pager" and
31  process.args in ("/bin/sh", "/bin/bash", "/bin/dash", "sh", "bash", "dash") and
32  process.parent.name in ("apt", "apt-get") and process.parent.args == "changelog"
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1059"
40name = "Command and Scripting Interpreter"
41reference = "https://attack.mitre.org/techniques/T1059/"
42[[rule.threat.technique.subtechnique]]
43id = "T1059.004"
44name = "Unix Shell"
45reference = "https://attack.mitre.org/techniques/T1059/004/"
46
47
48
49[rule.threat.tactic]
50id = "TA0002"
51name = "Execution"
52reference = "https://attack.mitre.org/tactics/TA0002/"