Shell Invocation via Apt - Linux
Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Sigma rule (View on GitHub)
1title: Shell Invocation via Apt - Linux
2id: bb382fd5-b454-47ea-a264-1828e4c766d6
3status: test
4description: |
5 Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands.
6 Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
7references:
8 - https://gtfobins.github.io/gtfobins/apt/
9 - https://gtfobins.github.io/gtfobins/apt-get/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-12-28
12modified: 2024-09-02
13tags:
14 - attack.discovery
15 - attack.t1083
16logsource:
17 category: process_creation
18 product: linux
19detection:
20 selection:
21 Image|endswith:
22 - '/apt'
23 - '/apt-get'
24 CommandLine|contains: 'APT::Update::Pre-Invoke::='
25 condition: selection
26falsepositives:
27 - Unknown
28level: medium
References
-
.. / apt Shell Sudo Shell It can be used to break out from restricted environments by spawning an interactive system shell. This invokes the default pager, which is likely to be less, other functio...
Read More -
.. / apt-get Shell Sudo Shell It can be used to break out from restricted environments by spawning an interactive system shell. This invokes the default pager, which is likely to be less, other fun...
Read More
Related rules
- Shell Execution GCC - Linux
- Shell Execution via Find - Linux
- Shell Execution via Flock - Linux
- Shell Execution via Nice - Linux
- Vim GTFOBin Abuse - Linux