Capabilities Discovery - Linux
Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
Sigma rule (View on GitHub)
1title: Capabilities Discovery - Linux
2id: d8d97d51-122d-4cdd-9e2f-01b4b4933530
3status: test
4description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
5references:
6 - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
7 - https://github.com/carlospolop/PEASS-ng
8 - https://github.com/diego-treitos/linux-smart-enumeration
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/12/28
11tags:
12 - attack.discovery
13 - attack.t1083
14logsource:
15 category: process_creation
16 product: linux
17detection:
18 selection:
19 Image|endswith: '/getcap'
20 CommandLine|contains:
21 - ' /r '
22 - ' -r '
23 condition: selection
24falsepositives:
25 - Unknown
26level: low
References
-
My Linux Privilege Escalation notes which is part of my OSCP Preperation - GitHub - saisathvik1/Linux-Privilege-Escalation-Notes: My Linux Privilege Escalation notes which is part of my OSCP Preper...
Read More -
PEASS - Privilege Escalation Awesome Scripts SUITE (with colors) - GitHub - carlospolop/PEASS-ng: PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
Read More -
Linux enumeration tool for pentesting and CTFs with verbosity levels - GitHub - diego-treitos/linux-smart-enumeration: Linux enumeration tool for pentesting and CTFs with verbosity levels
Read More
Related rules
- Apt GTFOBin Abuse - Linux
- Potential Discovery Activity Using Find - Linux
- Potential Discovery Activity Using Find - MacOS
- Vim GTFOBin Abuse - Linux
- HackTool - PCHunter Execution