Suspicious Invocation of Shell via AWK - Linux

calendar Sep 2, 2024 · attack.execution attack.t1059  ·
Share on: linkedin copy

Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.

Sigma rule (View on GitHub)

 1title: Suspicious Invocation of Shell via AWK - Linux
 2id: 8c1a5675-cb85-452f-a298-b01b22a51856
 3status: experimental
 4description: |
 5    Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function.
 6    This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.    
 7references:
 8    - https://gtfobins.github.io/gtfobins/awk/#shell
 9    - https://gtfobins.github.io/gtfobins/gawk/#shell
10    - https://gtfobins.github.io/gtfobins/nawk/#shell
11    - https://gtfobins.github.io/gtfobins/mawk/#shell
12author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
13date: 2024-09-02
14tags:
15    - attack.execution
16    - attack.t1059
17logsource:
18    category: process_creation
19    product: linux
20detection:
21    selection_img:
22        Image|endswith:
23            - '/awk'
24            - '/gawk'
25            - '/mawk'
26            - '/nawk'
27        CommandLine|contains: 'BEGIN {system'
28    selection_cli:
29        CommandLine|contains:
30            - '/bin/bash'
31            - '/bin/dash'
32            - '/bin/fish'
33            - '/bin/sh'
34            - '/bin/zsh'
35    condition: all of selection_*
36falsepositives:
37    - Unknown
38level: high

References

  • awk | GTFOBins

    .. / awk Shell It can be used to break out from restricted environments by spawning an interactive system shell. awk 'BEGIN {system("/bin/sh")}' Non-interactive reverse shell It can send back a non...


    Read More

  • gawk | GTFOBins

    .. / gawk Shell It can be used to break out from restricted environments by spawning an interactive system shell. gawk 'BEGIN {system("/bin/sh")}' Non-interactive reverse shell It can send back a n...


    Read More

  • nawk | GTFOBins

    .. / nawk Shell It can be used to break out from restricted environments by spawning an interactive system shell. nawk 'BEGIN {system("/bin/sh")}' Non-interactive reverse shell It can send back a n...


    Read More

  • mawk | GTFOBins

    .. / mawk Shell File write File read SUID Sudo Limited SUID Shell It can be used to break out from restricted environments by spawning an interactive system shell. mawk 'BEGIN {system("/bin/sh")}' ...


    Read More

Related rules

to-top