Shell Execution GCC - Linux

calendar Sep 2, 2024 · attack.discovery attack.t1083  ·
Share on: linkedin copy

Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Sigma rule (View on GitHub)

 1title: Shell Execution GCC  - Linux
 2id: 9b5de532-a757-4d70-946c-1f3e44f48b4d
 3status: experimental
 4description: |
 5        Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
 6references:
 7    - https://gtfobins.github.io/gtfobins/gcc/#shell
 8    - https://gtfobins.github.io/gtfobins/c89/#shell
 9    - https://gtfobins.github.io/gtfobins/c99/#shell
10    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
11author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
12date: 2024-09-02
13tags:
14    - attack.discovery
15    - attack.t1083
16logsource:
17    category: process_creation
18    product: linux
19detection:
20    selection_img:
21        Image|endswith:
22            - '/c89'
23            - '/c99'
24            - '/gcc'
25        CommandLine|contains: '-wrapper'
26    selection_cli:
27        CommandLine|contains:
28            - '/bin/bash,-s'
29            - '/bin/dash,-s'
30            - '/bin/fish,-s'
31            - '/bin/sh,-s'
32            - '/bin/zsh,-s'
33    condition: all of selection_*
34falsepositives:
35    - Unknown
36level: high

References

  • gcc | GTFOBins

    .. / gcc Shell File write File read Sudo Shell It can be used to break out from restricted environments by spawning an interactive system shell. gcc -wrapper /bin/sh,-s . File write It writes data ...


    Read More

  • c89 | GTFOBins

    .. / c89 Shell File write File read Sudo Shell It can be used to break out from restricted environments by spawning an interactive system shell. c89 -wrapper /bin/sh,-s . File write It writes data ...


    Read More

  • c99 | GTFOBins

    .. / c99 Shell File write File read Sudo Shell It can be used to break out from restricted environments by spawning an interactive system shell. c99 -wrapper /bin/sh,-s . File write It writes data ...


    Read More

  • Linux Restricted Shell Breakout via Linux Binary(s) | Elastic Security Solution [8.15] | Elastic

    Linux Restricted Shell Breakout via Linux Binary(s) edit Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activi...


    Read More

Related rules

to-top