Capabilities Discovery - Linux
Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
Sigma rule (View on GitHub)
1title: Capabilities Discovery - Linux
2id: d8d97d51-122d-4cdd-9e2f-01b4b4933530
3status: test
4description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
5references:
6 - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
7 - https://github.com/carlospolop/PEASS-ng
8 - https://github.com/diego-treitos/linux-smart-enumeration
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-12-28
11modified: 2024-03-05
12tags:
13 - attack.discovery
14 - attack.t1083
15logsource:
16 category: process_creation
17 product: linux
18detection:
19 selection:
20 Image|endswith: '/getcap'
21 CommandLine|contains|windash: ' -r '
22 condition: selection
23falsepositives:
24 - Unknown
25level: low
References
Related rules
- Cisco Discovery
- DirLister Execution
- File and Directory Discovery - MacOS
- PUA - Seatbelt Execution
- Potential Discovery Activity Using Find - Linux