2022-03-05 01:16:19 +05:30
[ metadata ]
creation_date = "2022/03/03"
maturity = "production"
2022-03-25 02:07:20 +05:30
updated_date = "2022/03/22"
2022-03-05 01:16:19 +05:30
[ rule ]
author = [ "Elastic" ]
description = "" "
Identifies Linux binary find abuse to break out from restricted environments by spawning an interactive system shell.
2022-03-25 02:07:20 +05:30
The vi/vim is the standard text editor in Linux distribution and the activity of spawning a shell is not a standard use
of this binary by a user or system administrator and could potentially indicate malicious actor attempting to improve
the capabilities or stability of their access."
2022-03-05 01:16:19 +05:30
"" "
from = " now-9m "
index = [" logs-endpoint . events . * "]
language = " eql "
license = " Elastic License v2 "
name = " Linux Restricted Shell Breakout via the vi command "
references = [" https : / / gtfobins . github . io / gtfobins / vi / "]
risk_score = 47
rule_id = " 89583 d1b-3c2e-4606-8b74-0a9fd2248e88 "
severity = " medium "
2022-03-18 15:06:24 +05:30
tags = [" Elastic ", " Host ", " Linux ", " Threat Detection ", " Execution ", " GTFOBins "]
2022-03-05 01:16:19 +05:30
timestamp_override = " event . ingested "
type = " eql "
query = '''
2022-03-25 02:07:20 +05:30
process where event.type == " start " and process.parent.name in (" vi ", " vim ") and process.parent.args == " -c " and process.parent.args in (" : ! / bin / bash ", " : ! / bin / sh ", " : ! bash ", " : ! sh ") and process.name in (" bash ", " sh ")
2022-03-05 01:16:19 +05:30
'''
[[rule.threat]]
framework = " MITRE ATT & CK "
[[rule.threat.technique]]
id = " T1059 "
name = " Command and Scripting Interpreter "
reference = " https : / / attack . mitre . org / techniques / T1059 / "
[[rule.threat.technique.subtechnique]]
id = " T1059 . 004 "
name = " Unix Shell "
reference = " https : / / attack . mitre . org / techniques / T1059 / 004 / "
[rule.threat.tactic]
id = " TA0002 "
name = " Execution "
reference = " https : / / attack . mitre . org / tactics / TA0002 / "
