Closed shashank-elastic closed 4 months ago
botelastic[bot]
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
shashank-elastic
commented
4 months ago Linux Restricted Shell Breakout via Linux Binary(s) has evolved to have multiple binaries. The intent was to provide a template for users to add in binaries that make sense to them. So this would be yet another binary and can be ignored for prebuilt detection package.
Description
GTFOBins is a list ( not exhaustive ) of Unix binaries that can be used to bypass local security restrictions in misconfigured Linux/Unix systems and can have cascading effects in a vast infrastructure
dpkg a common IOC, the Unix binary can be abused to breakout out of restricted shells or environments by spawning an interactive system shell. This activity is not standard use with this binary for a user or system administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their access.
Required Info
The dpkg library is installed on the targetted host
Target indexes
logs-endpoint.events.*
Additional requirements
A non sudo user to test for elevated privileges
Target Operating Systems
Linux
Tested ECS Version
7.15.1
Optional Info
Query
References
https://gtfobins.github.io/gtfobins/dpkg/
Example Data