gtfobin shell breakouts

rules/linux/process_creation/proc_creation_lnx_gtfobin_awk_shell.yml

@@ -0,0 +1,36 @@
+title: Awk GTFOBin Abuse - Linux
+id: 8c1a5675-cb85-452f-a298-b01b22a51856
+status: experimental
+description: Detects usage of awk and siblings as a GTFOBin Linux binary abuse to break out from restricted environments by spawning an interactive system shell. 
+references:
+    - https://gtfobins.github.io/gtfobins/awk/#shell
+    - https://gtfobins.github.io/gtfobins/gawk/#shell
+    - https://gtfobins.github.io/gtfobins/nawk/#shell
+    - https://gtfobins.github.io/gtfobins/mawk/#shell
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024/08/05
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith:
+            - '/awk'
+            - '/gawk'
+            - '/nawk'
+            - '/mawk'            
+        CommandLine|contains: 'BEGIN {system'
+    selection_cli:
+        CommandLine|contains:
+            - '/bin/sh'
+            - '/bin/bash'
+            - '/bin/dash'
+            - '/bin/zsh'
+            - '/bin/fish'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

rules/linux/process_creation/proc_creation_lnx_gtfobin_capsh_shell.yml

@@ -0,0 +1,24 @@
+title: Capsh GTFOBin Abuse - Linux
+id: db1ac3be-f606-4e3a-89e0-9607cbe6b98a
+status: experimental
+description: Detects usage of Capsh as a GTFOBin Linux binary abuse to break out from restricted environments by spawning an interactive system shell. 
+references:
+    - https://gtfobins.github.io/gtfobins/capsh/#shell
+    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024/08/05
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith: '/capsh'
+    selection_cli:
+        CommandLine|endswith: ' --'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

rules/linux/process_creation/proc_creation_lnx_gtfobin_env_shell.yml

@@ -0,0 +1,29 @@
+title: Env GTFOBin Abuse - Linux
+id: bed978f8-7f3a-432b-82c5-9286a9b3031a
+status: experimental
+description: Detects usage of env as a GTFOBin Linux binary abuse to break out from restricted environments by spawning an interactive system shell. 
+references:
+    - https://gtfobins.github.io/gtfobins/env/#shell
+    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024/08/05
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith: '/env'
+    selection_cli:
+        CommandLine|endswith:
+            - '/bin/sh'
+            - '/bin/bash'
+            - '/bin/dash'
+            - '/bin/zsh'
+            - '/bin/fish'
+    condition: all of selection_*
+falsepositives:
+    - Github operations such as ghe-backup
+level: high

rules/linux/process_creation/proc_creation_lnx_gtfobin_find_shell.yml

@@ -0,0 +1,32 @@
+title: Find GTFOBin Abuse - Linux
+id: 6adfbf8f-52be-4444-9bac-81b539624146
+status: experimental
+description: Detects usage of "find" as a GTFOBin Linux binary abuse to break out from restricted environments by spawning an interactive system shell.
+references:
+    - https://gtfobins.github.io/gtfobins/find/#shell
+    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024/08/05
+tags:
+    - attack.discovery
+    - attack.t1083
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith: '/find'
+        CommandLine|contains|all:
+            - ' . '
+            - '-exec'
+    selection_cli:
+        CommandLine|contains:
+            - '/bin/sh'
+            - '/bin/bash'
+            - '/bin/dash'
+            - '/bin/zsh'
+            - '/bin/fish'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

rules/linux/process_creation/proc_creation_lnx_gtfobin_flock_shell.yml

@@ -0,0 +1,30 @@
+title: Flock GTFOBin Abuse - Linux
+id: 4b09c71e-4269-4111-9cdd-107d8867f0cc
+status: experimental
+description: Detects usage of "flock" as a GTFOBin Linux binary abuse to break out from restricted environments by spawning an interactive system shell.
+references:
+    - https://gtfobins.github.io/gtfobins/flock/#shell
+    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024/08/05
+tags:
+    - attack.discovery
+    - attack.t1083
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith: '/flock'
+        CommandLine|contains: ' -u '
+    selection_cli:
+        CommandLine|contains:
+            - '/bin/sh'
+            - '/bin/bash'
+            - '/bin/dash'
+            - '/bin/zsh'
+            - '/bin/fish'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

rules/linux/process_creation/proc_creation_lnx_gtfobin_gcc_shell.yml

@@ -0,0 +1,35 @@
+title: GCC GTFOBin Abuse - Linux
+id: 9b5de532-a757-4d70-946c-1f3e44f48b4d
+status: experimental
+description: Detects usage of GCC compilers as a GTFOBin Linux binary abuse to break out from restricted environments by spawning an interactive system shell.
+references:
+    - https://gtfobins.github.io/gtfobins/gcc/#shell
+    - https://gtfobins.github.io/gtfobins/c89/#shell
+    - https://gtfobins.github.io/gtfobins/c99/#shell
+    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024/08/05
+tags:
+    - attack.discovery
+    - attack.t1083
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith:
+            - '/gcc'
+            - '/c89'
+            - '/c99'
+        CommandLine|contains: '-wrapper'
+    selection_cli:
+        CommandLine|contains:
+            - '/bin/sh,-s'
+            - '/bin/bash,-s'
+            - '/bin/dash,-s'
+            - '/bin/zsh,-s'
+            - '/bin/fish,-s'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

rules/linux/process_creation/proc_creation_lnx_gtfobin_git_shell.yml

@@ -0,0 +1,29 @@
+title: Git GTFOBin Abuse - Linux
+id: 47b3bbd4-1bf7-48cc-84ab-995362aaa75a
+status: experimental
+description: Detects usage of git as a GTFOBin Linux binary abuse to break out from restricted environments by spawning an interactive system shell. 
+references:
+    - https://gtfobins.github.io/gtfobins/git/#shell
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024/08/05
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_parent:
+        ParentImage|endswith: '/git'
+        ParentCommandLine|contains|all:
+            - ' -p '
+            - 'help'
+    selection_cli:
+        CommandLine|contains:
+            - 'sh 0<&1'
+            - 'bash 0<&1'
+            - 'dash 0<&1'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

rules/linux/process_creation/proc_creation_lnx_gtfobin_nice_shell.yml

@@ -0,0 +1,29 @@
+title: Nice GTFOBin Abuse - Linux
+id: 093d68c7-762a-42f4-9f46-95e79142571a
+status: experimental
+description: Detects usage of "nice" as a GTFOBin Linux binary abuse to break out from restricted environments by spawning an interactive system shell.
+references:
+    - https://gtfobins.github.io/gtfobins/nice/#shell
+    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024/08/05
+tags:
+    - attack.discovery
+    - attack.t1083
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith: '/nice'
+    selection_cli:
+        CommandLine|endswith:
+            - '/bin/sh'
+            - '/bin/bash'
+            - '/bin/dash'
+            - '/bin/zsh'
+            - '/bin/fish'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

rules/linux/process_creation/proc_creation_lnx_gtfobin_python_shell.yml

@@ -0,0 +1,33 @@
+title: GTFOBIN PYTHON SHELL
+id: 2d2f44ff-4611-4778-a8fc-323a0e9850cc
+status: experimental
+description: Detects usage of Python a GTFOBin Linux binary abuse to break out from restricted environments by spawning an interactive system shell.
+references:
+    - https://gtfobins.github.io/gtfobins/python/#shell
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024/08/05
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_python:
+        Image|contains: 'python'
+    selection_cli:
+        CommandLine|contains|all:
+            - ' -c '
+            - 'import' 
+            - 'os'
+            - 'os.system('
+        CommandLine|contains:
+            - '/bin/sh'
+            - '/bin/bash'
+            - '/bin/dash'
+            - '/bin/zsh'
+            - '/bin/fish'
+    condition: selection_python and selection_cli
+falsepositives:
+    - Unknown
+level: high

rules/linux/process_creation/proc_creation_lnx_gtfobin_rsync_shell.yml

@@ -0,0 +1,29 @@
+title: Rsync GTFOBin Abuse - Linux
+id: e2326866-609f-4015-aea9-7ec634e8aa04
+status: experimental
+description: Detects usage of rsync as a GTFOBin Linux binary abuse to break out from restricted environments by spawning an interactive system shell. 
+references:
+    - https://gtfobins.github.io/gtfobins/rsync/#shell
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024/08/05
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith: '/rsync'
+        CommandLine|contains: ' -e '
+    selection_cli:
+        CommandLine|contains:
+            - 'sh 0<&2 1>&2'
+            - 'bash 0<&2 1>&2'
+            - 'dash 0<&2 1>&2'
+    selection_null:
+        CommandLine|contains: '/dev/null'   
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

rules/linux/process_creation/proc_creation_lnx_gtfobin_ssh_shell.yml

@@ -0,0 +1,36 @@
+title: SSH GTFOBin Abuse - Linux
+id: 8737b7f6-8df3-4bb7-b1da-06019b99b687
+status: experimental
+description: Detects usage of SSH and variants as a GTFOBin Linux binary abuse to break out from restricted environments by spawning an interactive system shell. 
+references:
+    - https://gtfobins.github.io/gtfobins/ssh/
+    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
+author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
+date: 2024/08/05
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith: '/ssh'
+        CommandLine|contains:
+            - 'ProxyCommand=;'
+            - 'permitlocalcommand=yes'
+            - 'localhost'
+    selection_cli:
+        CommandLine|contains:
+            - 'sh 0<&2 1>&2'
+            - 'bash 0<&2 1>&2'
+            - 'dash 0<&2 1>&2' 
+            - '/bin/sh'
+            - '/bin/bash'
+            - '/bin/dash'
+            - '/bin/zsh'
+            - '/bin/fish'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high