Capabilities Discovery - Linux

Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.

Sigma rule (View on GitHub)

 1title: Capabilities Discovery - Linux
 2id: d8d97d51-122d-4cdd-9e2f-01b4b4933530
 3status: test
 4description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
 5references:
 6    - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
 7    - https://github.com/carlospolop/PEASS-ng
 8    - https://github.com/diego-treitos/linux-smart-enumeration
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/12/28
11tags:
12    - attack.discovery
13    - attack.t1083
14logsource:
15    category: process_creation
16    product: linux
17detection:
18    selection:
19        Image|endswith: '/getcap'
20        CommandLine|contains:
21            - ' /r '
22            - ' -r '
23    condition: selection
24falsepositives:
25    - Unknown
26level: low

References

Related rules

to-top