Vim GTFOBin Abuse - Linux
Detects usage of "vim" and it's siblings as a GTFOBin to execute and proxy command and binary execution
Sigma rule (View on GitHub)
1title: Vim GTFOBin Abuse - Linux
2id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea
3status: test
4description: Detects usage of "vim" and it's siblings as a GTFOBin to execute and proxy command and binary execution
5references:
6 - https://gtfobins.github.io/gtfobins/vim/
7 - https://gtfobins.github.io/gtfobins/rvim/
8 - https://gtfobins.github.io/gtfobins/vimdiff/
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/12/28
11tags:
12 - attack.discovery
13 - attack.t1083
14logsource:
15 category: process_creation
16 product: linux
17detection:
18 selection_img:
19 Image|endswith:
20 - '/vim'
21 - '/rvim'
22 - '/vimdiff'
23 CommandLine|contains:
24 - ' -c '
25 - ' --cmd'
26 selection_cli:
27 CommandLine|contains:
28 - ':!/'
29 - ':py '
30 - ':lua '
31 - '/bin/sh'
32 - '/bin/bash'
33 - '/bin/dash'
34 - '/bin/zsh'
35 - '/bin/fish'
36 condition: all of selection_*
37falsepositives:
38 - Unknown
39level: high
References
-
.. / vim Shell It can be used to break out from restricted environments by spawning an interactive system shell. vim -c ':!/bin/sh' vim --cmd ':set shell=/bin/sh|:shell' This requires that vim is c...
Read More -
.. / rvim Shell It can be used to break out from restricted environments by spawning an interactive system shell. This requires that rvim is compiled with Python support. Prepend :py3 for Python 3....
Read More -
.. / vimdiff Shell It can be used to break out from restricted environments by spawning an interactive system shell. vimdiff -c ':!/bin/sh' vimdiff :set shell=/bin/sh :shell This requires that vimd...
Read More
Related rules
- Apt GTFOBin Abuse - Linux
- Potential Discovery Activity Using Find - Linux
- Potential Discovery Activity Using Find - MacOS
- Turla Group Lateral Movement
- WannaCry Ransomware Activity