Vim GTFOBin Abuse - Linux

calendar Sep 2, 2024 · attack.discovery attack.t1083  ·
Share on: linkedin copy

Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Sigma rule (View on GitHub)

 1title: Vim GTFOBin Abuse - Linux
 2id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea
 3status: test
 4description: |
 5    Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands.
 6    Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.    
 7references:
 8    - https://gtfobins.github.io/gtfobins/vim/
 9    - https://gtfobins.github.io/gtfobins/rvim/
10    - https://gtfobins.github.io/gtfobins/vimdiff/
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022-12-28
13modified: 2024-09-02
14tags:
15    - attack.discovery
16    - attack.t1083
17logsource:
18    category: process_creation
19    product: linux
20detection:
21    selection_img:
22        Image|endswith:
23            - '/rvim'
24            - '/vim'
25            - '/vimdiff'
26        CommandLine|contains:
27            - ' --cmd'
28            - ' -c '
29    selection_cli:
30        CommandLine|contains:
31            - ':!/'
32            - ':lua '
33            - ':py '
34            - '/bin/bash'
35            - '/bin/dash'
36            - '/bin/fish'
37            - '/bin/sh'
38            - '/bin/zsh'
39    condition: all of selection_*
40falsepositives:
41    - Unknown
42level: high

References

  • vim | GTFOBins

    .. / vim Shell It can be used to break out from restricted environments by spawning an interactive system shell. vim -c ':!/bin/sh' vim --cmd ':set shell=/bin/sh|:shell' This requires that vim is c...


    Read More

  • rvim | GTFOBins

    .. / rvim Shell It can be used to break out from restricted environments by spawning an interactive system shell. This requires that rvim is compiled with Python support. Prepend :py3 for Python 3....


    Read More

  • vimdiff | GTFOBins

    .. / vimdiff Shell It can be used to break out from restricted environments by spawning an interactive system shell. vimdiff -c ':!/bin/sh' vimdiff :set shell=/bin/sh :shell This requires that vimd...


    Read More

Related rules

to-top