Shell Execution via Find - Linux
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
Sigma rule (View on GitHub)
1title: Shell Execution via Find - Linux
2id: 6adfbf8f-52be-4444-9bac-81b539624146
3status: experimental
4description: |
5 Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
6references:
7 - https://gtfobins.github.io/gtfobins/find/#shell
8 - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
9author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
10date: 2024-09-02
11tags:
12 - attack.discovery
13 - attack.t1083
14logsource:
15 category: process_creation
16 product: linux
17detection:
18 selection_img:
19 Image|endswith: '/find'
20 CommandLine|contains|all:
21 - ' . '
22 - '-exec'
23 selection_cli:
24 CommandLine|contains:
25 - '/bin/bash'
26 - '/bin/dash'
27 - '/bin/fish'
28 - '/bin/sh'
29 - '/bin/zsh'
30 condition: all of selection_*
31falsepositives:
32 - Unknown
33level: high
References
-
.. / find Shell File write SUID Sudo Shell It can be used to break out from restricted environments by spawning an interactive system shell. find . -exec /bin/sh \; -quit File write It writes data ...
Read More -
Linux Restricted Shell Breakout via Linux Binary(s) edit Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activi...
Read More
Related rules
- Shell Execution GCC - Linux
- Shell Execution via Flock - Linux
- Shell Execution via Nice - Linux
- Shell Invocation via Apt - Linux
- Vim GTFOBin Abuse - Linux