Linux Restricted Shell Breakout via the SSH command

calendar May 25, 2022 · Elastic Host Linux Threat Detection Execution GTFOBins  ·
Share on: linkedin copy

Identifies Linux binary SSH abuse to break out from restricted environments by spawning an interactive system shell. The SSH protocol is a network protocol that gives users, particularly system administrators, a secure way to access a computer over a network. The activity of spawning shell is not a standard use of this binary for a user or system administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their access.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/03/10"
 3deprecation_date = "2022/05/09"
 4maturity = "deprecated"
 5updated_date = "2022/05/09"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies Linux binary SSH abuse to break out from restricted environments by spawning an interactive system shell. The
11SSH protocol is a network protocol that gives users, particularly system administrators, a secure way to access a
12computer over a network. The activity of spawning shell is not a standard use of this binary for a user or system
13administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their
14access.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Linux Restricted Shell Breakout via the SSH command"
21references = ["https://gtfobins.github.io/gtfobins/ssh/"]
22risk_score = 47
23rule_id = "97da359b-2b61-4a40-b2e4-8fc48cf7a294"
24severity = "medium"
25tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"]
26timestamp_override = "event.ingested"
27type = "eql"
28
29query = '''
30process where event.type == "start" and process.name : ("bash", "sh", "dash") and
31  process.parent.name == "ssh" and process.parent.args == "-o" and
32  process.parent.args in ("ProxyCommand=;sh 0<&2 1>&2", "ProxyCommand=;bash 0<&2 1>&2", "ProxyCommand=;dash 0<&2 1>&2", "ProxyCommand=;/bin/sh 0<&2 1>&2", "ProxyCommand=;/bin/bash 0<&2 1>&2", "ProxyCommand=;/bin/dash 0<&2 1>&2")
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1059"
40name = "Command and Scripting Interpreter"
41reference = "https://attack.mitre.org/techniques/T1059/"
42[[rule.threat.technique.subtechnique]]
43id = "T1059.004"
44name = "Unix Shell"
45reference = "https://attack.mitre.org/techniques/T1059/004/"
46
47
48
49[rule.threat.tactic]
50id = "TA0002"
51name = "Execution"
52reference = "https://attack.mitre.org/tactics/TA0002/"

References

  • ssh | GTFOBins

    .. / ssh Shell File upload File download File read Sudo Shell It can be used to break out from restricted environments by spawning an interactive system shell. Reconnecting may help bypassing restr...


    Read More

Related rules

to-top