Capabilities Discovery - Linux

Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.

Sigma rule (View on GitHub)

 1title: Capabilities Discovery - Linux
 2id: d8d97d51-122d-4cdd-9e2f-01b4b4933530
 3status: test
 4description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
 5references:
 6    - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
 7    - https://github.com/carlospolop/PEASS-ng
 8    - https://github.com/diego-treitos/linux-smart-enumeration
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-12-28
11modified: 2024-03-05
12tags:
13    - attack.discovery
14    - attack.t1083
15logsource:
16    category: process_creation
17    product: linux
18detection:
19    selection:
20        Image|endswith: '/getcap'
21        CommandLine|contains|windash: ' -r '
22    condition: selection
23falsepositives:
24    - Unknown
25level: low

References

Related rules

to-top