Capsh Shell Invocation - Linux
Detects the use of the "capsh" utility to invoke a shell.
Sigma rule (View on GitHub)
1title: Capsh Shell Invocation - Linux
2id: db1ac3be-f606-4e3a-89e0-9607cbe6b98a
3status: experimental
4description: |
5 Detects the use of the "capsh" utility to invoke a shell.
6references:
7 - https://gtfobins.github.io/gtfobins/capsh/#shell
8 - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
9author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
10date: 2024-09-02
11tags:
12 - attack.execution
13 - attack.t1059
14logsource:
15 category: process_creation
16 product: linux
17detection:
18 selection:
19 Image|endswith: '/capsh'
20 CommandLine|endswith: ' --'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
-
.. / capsh Shell SUID Sudo Shell It can be used to break out from restricted environments by spawning an interactive system shell. SUID If the binary has the SUID bit set, it does not drop the elev...
Read More -
Linux Restricted Shell Breakout via Linux Binary(s) edit Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activi...
Read More
Related rules
- Inline Python Execution - Spawn Shell Via OS System Library
- Shell Execution via Git - Linux
- Shell Execution via Rsync - Linux
- Shell Invocation Via Ssh - Linux
- Shell Invocation via Env Command - Linux