Apt GTFOBin Abuse - Linux
Detects usage of "apt" and "apt-get" as a GTFOBin to execute and proxy command and binary execution
Sigma rule (View on GitHub)
1title: Apt GTFOBin Abuse - Linux
2id: bb382fd5-b454-47ea-a264-1828e4c766d6
3status: test
4description: Detects usage of "apt" and "apt-get" as a GTFOBin to execute and proxy command and binary execution
5references:
6 - https://gtfobins.github.io/gtfobins/apt/
7 - https://gtfobins.github.io/gtfobins/apt-get/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/12/28
10tags:
11 - attack.discovery
12 - attack.t1083
13logsource:
14 category: process_creation
15 product: linux
16detection:
17 selection:
18 Image|endswith:
19 - '/apt'
20 - '/apt-get'
21 CommandLine|contains: 'APT::Update::Pre-Invoke::='
22 condition: selection
23falsepositives:
24 - Unknown
25level: medium
References
-
.. / apt Shell Sudo Shell It can be used to break out from restricted environments by spawning an interactive system shell. This invokes the default pager, which is likely to be less, other functio...
Read More -
.. / apt-get Shell Sudo Shell It can be used to break out from restricted environments by spawning an interactive system shell. This invokes the default pager, which is likely to be less, other fun...
Read More
Related rules
- Potential Discovery Activity Using Find - Linux
- Potential Discovery Activity Using Find - MacOS
- Vim GTFOBin Abuse - Linux
- Turla Group Lateral Movement
- WannaCry Ransomware Activity