Try in Splunk Security Cloud
Description
Linux Living Off The Land consists of binaries that may be used to bypass local security restrictions within misconfigured systems.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2022-07-27
- Author: Michael Haag, Splunk
- ID: e405a2d7-dc8e-4227-8e9d-f60267b8c0cd
Narrative
Similar to Windows LOLBAS project, the GTFOBins project focuses solely on Unix binaries that may be abused in multiple categories including Reverse Shell, File Upload, File Download and much more. These binaries are native to the operating system and the functionality is typically native. The behaviors are typically not malicious by default or vulnerable, but these are built in functionality of the applications. When reviewing any notables or hunting through mountains of events of interest, it’s important to identify the binary, review command-line arguments, path of file, and capture any network and file modifications. Linux analysis may be a bit cumbersome due to volume and how process behavior is seen in EDR products. Piecing it together will require some effort.
Detections
Name |
Technique |
Type |
Curl Download and Bash Execution |
Ingress Tool Transfer |
TTP |
Linux APT Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux AWK Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Add Files In Known Crontab Directories |
Cron, Scheduled Task/Job |
Anomaly |
Linux Adding Crontab Using List Parameter |
Cron, Scheduled Task/Job |
Hunting |
Linux At Allow Config File Creation |
Cron, Scheduled Task/Job |
Anomaly |
Linux At Application Execution |
At, Scheduled Task/Job |
Anomaly |
Linux Busybox Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Change File Owner To Root |
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification |
Anomaly |
Linux Clipboard Data Copy |
Clipboard Data |
Anomaly |
Linux Common Process For Elevation Control |
Setuid and Setgid, Abuse Elevation Control Mechanism |
Hunting |
Linux Composer Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Cpulimit Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Csvtool Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Curl Upload File |
Ingress Tool Transfer |
TTP |
Linux Decode Base64 to Shell |
Obfuscated Files or Information, Unix Shell |
TTP |
Linux Docker Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Edit Cron Table Parameter |
Cron, Scheduled Task/Job |
Hunting |
Linux Emacs Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Find Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux GDB Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux GNU Awk Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Gem Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Ingress Tool Transfer Hunting |
Ingress Tool Transfer |
Hunting |
Linux Ingress Tool Transfer with Curl |
Ingress Tool Transfer |
Anomaly |
Linux Make Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux MySQL Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Node Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Obfuscated Files or Information Base64 Decode |
Obfuscated Files or Information |
Anomaly |
Linux Octave Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux OpenVPN Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux PHP Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Possible Access Or Modification Of sshd Config File |
SSH Authorized Keys, Account Manipulation |
Anomaly |
Linux Possible Append Cronjob Entry on Existing Cronjob File |
Cron, Scheduled Task/Job |
Hunting |
Linux Possible Cronjob Modification With Editor |
Cron, Scheduled Task/Job |
Hunting |
Linux Possible Ssh Key File Creation |
SSH Authorized Keys, Account Manipulation |
Anomaly |
Linux Proxy Socks Curl |
Proxy, Non-Application Layer Protocol |
TTP |
Linux Puppet Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux RPM Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Ruby Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux SSH Authorized Keys Modification |
SSH Authorized Keys |
Anomaly |
Linux SSH Remote Services Script Execute |
SSH |
TTP |
Linux Service File Created In Systemd Directory |
Systemd Timers, Scheduled Task/Job |
Anomaly |
Linux Service Restarted |
Systemd Timers, Scheduled Task/Job |
Anomaly |
Linux Service Started Or Enabled |
Systemd Timers, Scheduled Task/Job |
Anomaly |
Linux Setuid Using Chmod Utility |
Setuid and Setgid, Abuse Elevation Control Mechanism |
Anomaly |
Linux Sqlite3 Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux apt-get Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux c89 Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux c99 Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux pkexec Privilege Escalation |
Exploitation for Privilege Escalation |
TTP |
Suspicious Curl Network Connection |
Ingress Tool Transfer |
TTP |
Reference
source | version: 1