Shell Execution via Nice - Linux
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Sigma rule (View on GitHub)
1title: Shell Execution via Nice - Linux
2id: 093d68c7-762a-42f4-9f46-95e79142571a
3status: experimental
4description: |
5 Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
6references:
7 - https://gtfobins.github.io/gtfobins/nice/#shell
8 - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
9author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
10date: 2024-09-02
11tags:
12 - attack.discovery
13 - attack.t1083
14logsource:
15 category: process_creation
16 product: linux
17detection:
18 selection:
19 Image|endswith: '/nice'
20 CommandLine|endswith:
21 - '/bin/bash'
22 - '/bin/dash'
23 - '/bin/fish'
24 - '/bin/sh'
25 - '/bin/zsh'
26 condition: selection
27falsepositives:
28 - Unknown
29level: high
References
-
.. / nice Shell SUID Sudo Shell It can be used to break out from restricted environments by spawning an interactive system shell. SUID If the binary has the SUID bit set, it does not drop the eleva...
Read More -
Linux Restricted Shell Breakout via Linux Binary(s) edit Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activi...
Read More
Related rules
- Shell Execution GCC - Linux
- Shell Execution via Find - Linux
- Shell Execution via Flock - Linux
- Shell Invocation via Apt - Linux
- Vim GTFOBin Abuse - Linux