Shell Invocation via Env Command - Linux
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
Sigma rule (View on GitHub)
1title: Shell Invocation via Env Command - Linux
2id: bed978f8-7f3a-432b-82c5-9286a9b3031a
3status: experimental
4description: |
5 Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
6references:
7 - https://gtfobins.github.io/gtfobins/env/#shell
8 - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
9author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
10date: 2024-09-02
11tags:
12 - attack.execution
13 - attack.t1059
14logsource:
15 category: process_creation
16 product: linux
17detection:
18 selection:
19 Image|endswith: '/env'
20 CommandLine|endswith:
21 - '/bin/bash'
22 - '/bin/dash'
23 - '/bin/fish'
24 - '/bin/sh'
25 - '/bin/zsh'
26 condition: selection
27falsepositives:
28 - Github operations such as ghe-backup
29level: high
References
-
.. / env Shell SUID Sudo Shell It can be used to break out from restricted environments by spawning an interactive system shell. SUID If the binary has the SUID bit set, it does not drop the elevat...
Read More -
Linux Restricted Shell Breakout via Linux Binary(s) edit Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activi...
Read More
Related rules
- Capsh Shell Invocation - Linux
- Inline Python Execution - Spawn Shell Via OS System Library
- Shell Execution via Git - Linux
- Shell Execution via Rsync - Linux
- Shell Invocation Via Ssh - Linux