security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8f8ce06ffb8d8fd3433dbffebccd33ec9d23e51a
blue-team-tools/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml
T
frack113 48baf1187b Merge PR #4752 from @frack113 - Update rules to use the windash modifier 
update: File Enumeration Via Dir Command - Update logic to use a wildcard in addition, for better accuracy.
chore: update multiple rules to use the windash modifier 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
2024-03-11 12:01:30 +01:00

26 lines
812 B
YAML
Raw Blame History

title: Capabilities Discovery - Linux
id: d8d97d51-122d-4cdd-9e2f-01b4b4933530
status: test
description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
references:
- https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
- https://github.com/carlospolop/PEASS-ng
- https://github.com/diego-treitos/linux-smart-enumeration
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/12/28
modified: 2024/03/05
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/getcap'
CommandLine|contains|windash: ' -r '
condition: selection
falsepositives:
- Unknown
level: low
Reference in New Issue View Git Blame Copy Permalink