Linux Restricted Shell Breakout via the find command
Identifies Linux binary find abuse to break out from restricted environments by spawning an interactive system shell. The find command in Unix is a command line utility for walking a file hierarchy. The activity of spawning shell is not a standard use of this binary for a user or system administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/02/28"
3deprecation_date = "2022/05/09"
4maturity = "deprecated"
5updated_date = "2022/05/09"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies Linux binary find abuse to break out from restricted environments by spawning an interactive system shell.
11The find command in Unix is a command line utility for walking a file hierarchy. The activity of spawning shell is not a
12standard use of this binary for a user or system administrator. It indicates a potentially malicious actor attempting to
13improve the capabilities or stability of their access.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Linux Restricted Shell Breakout via the find command"
20references = ["https://gtfobins.github.io/gtfobins/find/"]
21risk_score = 47
22rule_id = "6f683345-bb10-47a7-86a7-71e9c24fb358"
23severity = "medium"
24tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"]
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = '''
29process where event.type == "start" and process.name in ("bash", "sh") and
30 process.parent.name == "find" and process.parent.args == "-exec" and
31 process.parent.args == ";" and process.parent.args in ("/bin/bash", "/bin/sh", "bash", "sh")
32'''
33
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37[[rule.threat.technique]]
38id = "T1059"
39name = "Command and Scripting Interpreter"
40reference = "https://attack.mitre.org/techniques/T1059/"
41[[rule.threat.technique.subtechnique]]
42id = "T1059.004"
43name = "Unix Shell"
44reference = "https://attack.mitre.org/techniques/T1059/004/"
45
46
47
48[rule.threat.tactic]
49id = "TA0002"
50name = "Execution"
51reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Linux Restricted Shell Breakout via apt/apt-get Changelog Escape
- Linux Restricted Shell Breakout via awk Commands
- Linux Restricted Shell Breakout via busybox Shell Evasion
- Linux Restricted Shell Breakout via c89/c99 Shell evasion
- Linux Restricted Shell Breakout via cpulimit Shell Evasion