Capabilities Discovery - Linux
Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
Sigma rule (View on GitHub)
1title: Capabilities Discovery - Linux
2id: d8d97d51-122d-4cdd-9e2f-01b4b4933530
3status: test
4description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
5references:
6 - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
7 - https://github.com/carlospolop/PEASS-ng
8 - https://github.com/diego-treitos/linux-smart-enumeration
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/12/28
11tags:
12 - attack.discovery
13 - attack.t1083
14logsource:
15 category: process_creation
16 product: linux
17detection:
18 selection:
19 Image|endswith: '/getcap'
20 CommandLine|contains:
21 - ' /r '
22 - ' -r '
23 condition: selection
24falsepositives:
25 - Unknown
26level: low
References
Related rules
- Apt GTFOBin Abuse - Linux
- Potential Discovery Activity Using Find - Linux
- Potential Discovery Activity Using Find - MacOS
- Vim GTFOBin Abuse - Linux
- HackTool - PCHunter Execution