Shell Invocation Via Ssh - Linux
Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Sigma rule (View on GitHub)
1title: Shell Invocation Via Ssh - Linux
2id: 8737b7f6-8df3-4bb7-b1da-06019b99b687
3status: experimental
4description: |
5 Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
6references:
7 - https://gtfobins.github.io/gtfobins/ssh/
8 - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
9author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
10date: 2024-08-29
11tags:
12 - attack.execution
13 - attack.t1059
14logsource:
15 category: process_creation
16 product: linux
17detection:
18 selection_img:
19 Image|endswith: '/ssh'
20 CommandLine|contains:
21 - 'ProxyCommand=;'
22 - 'permitlocalcommand=yes'
23 - 'localhost'
24 selection_cli:
25 CommandLine|contains:
26 - '/bin/bash'
27 - '/bin/dash'
28 - '/bin/fish'
29 - '/bin/sh'
30 - '/bin/zsh'
31 - 'sh 0<&2 1>&2'
32 - 'sh 1>&2 0<&2'
33 condition: all of selection_*
34falsepositives:
35 - Unknown
36level: high
References
-
.. / ssh Shell File upload File download File read Sudo Shell It can be used to break out from restricted environments by spawning an interactive system shell. Reconnecting may help bypassing restr...
Read More -
Linux Restricted Shell Breakout via Linux Binary(s) edit Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activi...
Read More
Related rules
- Capsh Shell Invocation - Linux
- Inline Python Execution - Spawn Shell Via OS System Library
- Shell Execution via Git - Linux
- Shell Execution via Rsync - Linux
- Shell Invocation via Env Command - Linux