Shell Execution via Flock - Linux
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Sigma rule (View on GitHub)
1title: Shell Execution via Flock - Linux
2id: 4b09c71e-4269-4111-9cdd-107d8867f0cc
3status: experimental
4description: |
5 Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
6references:
7 - https://gtfobins.github.io/gtfobins/flock/#shell
8 - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
9author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
10date: 2024-09-02
11tags:
12 - attack.discovery
13 - attack.t1083
14logsource:
15 category: process_creation
16 product: linux
17detection:
18 selection_img:
19 Image|endswith: '/flock'
20 CommandLine|contains: ' -u '
21 selection_cli:
22 CommandLine|contains:
23 - '/bin/bash'
24 - '/bin/dash'
25 - '/bin/fish'
26 - '/bin/sh'
27 - '/bin/zsh'
28 condition: all of selection_*
29falsepositives:
30 - Unknown
31level: high
References
-
.. / flock Shell SUID Sudo Shell It can be used to break out from restricted environments by spawning an interactive system shell. SUID If the binary has the SUID bit set, it does not drop the elev...
Read More -
Linux Restricted Shell Breakout via Linux Binary(s) edit Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activi...
Read More
Related rules
- Shell Execution GCC - Linux
- Shell Execution via Find - Linux
- Shell Execution via Nice - Linux
- Shell Invocation via Apt - Linux
- Vim GTFOBin Abuse - Linux