Vim GTFOBin Abuse - Linux
Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
Sigma rule (View on GitHub)
1title: Vim GTFOBin Abuse - Linux
2id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea
3status: test
4description: |
5 Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands.
6 Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
7references:
8 - https://gtfobins.github.io/gtfobins/vi/
9 - https://gtfobins.github.io/gtfobins/vim/
10 - https://gtfobins.github.io/gtfobins/rvim/
11 - https://gtfobins.github.io/gtfobins/vimdiff/
12author: Nasreddine Bencherchali (Nextron Systems), Luc Génaux
13date: 2022-12-28
14modified: 2026-06-05
15tags:
16 - attack.execution
17 - attack.discovery
18 - attack.t1059
19 - attack.t1083
20logsource:
21 category: process_creation
22 product: linux
23detection:
24 selection_img:
25 Image|endswith:
26 - '/rvim'
27 - '/vi'
28 - '/vim'
29 - '/vimdiff'
30 CommandLine|contains:
31 - ' --cmd '
32 - ' -c'
33 selection_cli:
34 CommandLine|contains:
35 - ':!/'
36 - ':!$'
37 - ':!..'
38 - ':lua '
39 - ':py '
40 - ':shell'
41 - '/bin/bash'
42 - '/bin/dash'
43 - '/bin/fish'
44 - '/bin/sh'
45 - '/bin/csh'
46 - '/bin/ksh'
47 - '/bin/zsh'
48 - '/bin/tmux'
49 condition: all of selection_*
50falsepositives:
51 - Unknown
52level: high
References
Related rules
- Turla Group Lateral Movement
- Hacktool Ruler
- HackTool - PCHunter Execution
- Suspicious Scan Loop Network
- Add Insecure Download Source To Winget