search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.92k stars 493 forks source link

[New Rule] GTFOBin SUID Execution #3714

Closed Aegrah closed 3 months ago

Aegrah commented 4 months ago

Summary

This query lists all GTFOBin SUID binaries, and queries these to find executions where the real.id is not 0, but the id is 0. This indicates non-root executions with root permissions on SUID binaries. It needs some more formatting, but it is actually rather performant. 0 FPs in my own testing stack, 7 flaggable entries (that would be interesting to take a look at) in telemetry last 30d. 

process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
(group.Ext.real.id != "0" and group.id == "0") and
(user.Ext.real.id != "0" and user.id == "0") and (
  process.name in (
    "aa-exec", "ab", "agetty", "alpine", "ar", "arj", "arp", "as", "ascii-xfr", "ash", "aspell", "atobm", "awk", "base32", "base64", "basenc", "basez", "bash", "bc", "bridge", "busctl", "busybox", "bzip2", "cabal", "capsh", "cat", "choom", "chown", "chroot", "clamscan", "cmp", "column", "comm", "cp", "cpio", "cpulimit", "csh", "csplit", "csvtool", "cupsfilter", "curl", "cut", "dash", "date", "dd", "debugfs", "dialog", "diff", "dig", "distcc", "dmsetup", "docker", "dosbox", "ed", "efax", "elvish", "emacs", "env", "eqn", "espeak", "expand", "expect", "file", "find", "fish", "flock", "fmt", "fold", "gawk", "gcore", "gdb", "genie", "genisoimage", "gimp", "grep", "gtester", "gzip", "hd", "head", "hexdump", "highlight", "hping3", "iconv", "install", "ionice", "ip", "ispell", "jjs", "join", "jq", "jrunscript", "julia", "ksh", "ksshell", "kubectl", "ld.so", "less", "links", "logsave", "look", "lua", "make", "mawk", "minicom", "more", "mosquitto", "msgattrib", "msgcat", "msgconv", "msgfilter", "msgmerge", "msguniq", "multitime", "mv", "nasm", "nawk", "ncftp", "nft", "nice", "nl", "nm", "nmap", "node", "nohup", "ntpdate", "od", "openssl", "openvpn", "pandoc", "paste", "perf", "perl", "pexec", "pg", "php", "pidstat", "pr", "ptx", "python", "rc", "readelf", "restic", "rev", "rlwrap", "rsync", "rtorrent", "run-parts", "rview", "rvim", "sash", "scanmem", "sed", "setarch", "setfacl", "setlock", "shuf", "soelim", "softlimit", "sort", "sqlite3", "ss", "ssh-agent", "ssh-keygen", "ssh-keyscan", "sshpass", "start-stop-daemon", "stdbuf", "strace", "strings", "sysctl", "systemctl", "tac", "tail", "taskset", "tbl", "tclsh", "tee", "terraform", "tftp", "tic", "time", "timeout", "troff", "ul", "unexpand", "uniq", "unshare", "unsquashfs", "unzip", "update-alternatives", "uudecode", "uuencode", "vagrant", "varnishncsa", "view", "vigr", "vim", "vimdiff", "vipw", "w3m", "watch", "wc", "wget", "whiptail", "xargs", "xdotool", "xmodmap", "xmore", "xxd", "xz", "yash", "zsh", "zsoelim"
) or
process.executable in (
  "/bin/aa-exec", "/bin/ab", "/bin/agetty", "/bin/alpine", "/bin/ar", "/bin/arj", "/bin/arp", "/bin/as", "/bin/ascii-xfr", "/bin/ash", "/bin/aspell", "/bin/atobm", "/bin/awk", "/bin/base32", "/bin/base64", "/bin/basenc", "/bin/basez", "/bin/bash", "/bin/bc", "/bin/bridge", "/bin/busctl", "/bin/busybox", "/bin/bzip2", "/bin/cabal", "/bin/capsh", "/bin/cat", "/bin/choom", "/bin/chown", "/bin/chroot", "/bin/clamscan", "/bin/cmp", "/bin/column", "/bin/comm", "/bin/cp", "/bin/cpio", "/bin/cpulimit", "/bin/csh", "/bin/csplit", "/bin/csvtool", "/bin/cupsfilter", "/bin/curl", "/bin/cut", "/bin/dash", "/bin/date", "/bin/dd", "/bin/debugfs", "/bin/dialog", "/bin/diff", "/bin/dig", "/bin/distcc", "/bin/dmsetup", "/bin/docker", "/bin/dosbox", "/bin/ed", "/bin/efax", "/bin/elvish", "/bin/emacs", "/bin/env", "/bin/eqn", "/bin/espeak", "/bin/expand", "/bin/expect", "/bin/file", "/bin/find", "/bin/fish", "/bin/flock", "/bin/fmt", "/bin/fold", "/bin/gawk", "/bin/gcore", "/bin/gdb", "/bin/genie", "/bin/genisoimage", "/bin/gimp", "/bin/grep", "/bin/gtester", "/bin/gzip", "/bin/hd", "/bin/head", "/bin/hexdump", "/bin/highlight", "/bin/hping3", "/bin/iconv", "/bin/install", "/bin/ionice", "/bin/ip", "/bin/ispell", "/bin/jjs", "/bin/join", "/bin/jq", "/bin/jrunscript", "/bin/julia", "/bin/ksh", "/bin/ksshell", "/bin/kubectl", "/bin/ld.so", "/bin/less", "/bin/links", "/bin/logsave", "/bin/look", "/bin/lua", "/bin/make", "/bin/mawk", "/bin/minicom", "/bin/more", "/bin/mosquitto", "/bin/msgattrib", "/bin/msgcat", "/bin/msgconv", "/bin/msgfilter", "/bin/msgmerge", "/bin/msguniq", "/bin/multitime", "/bin/mv", "/bin/nasm", "/bin/nawk", "/bin/ncftp", "/bin/nft", "/bin/nice", "/bin/nl", "/bin/nm", "/bin/nmap", "/bin/node", "/bin/nohup", "/bin/ntpdate", "/bin/od", "/bin/openssl", "/bin/openvpn", "/bin/pandoc", "/bin/paste", "/bin/perf", "/bin/perl", "/bin/pexec", "/bin/pg", "/bin/php", "/bin/pidstat", "/bin/pr", "/bin/ptx", "/bin/python", "/bin/rc", "/bin/readelf", "/bin/restic", "/bin/rev", "/bin/rlwrap", "/bin/rsync", "/bin/rtorrent", "/bin/run-parts", "/bin/rview", "/bin/rvim", "/bin/sash", "/bin/scanmem", "/bin/sed", "/bin/setarch", "/bin/setfacl", "/bin/setlock", "/bin/shuf", "/bin/soelim", "/bin/softlimit", "/bin/sort", "/bin/sqlite3", "/bin/ss", "/bin/ssh-agent", "/bin/ssh-keygen", "/bin/ssh-keyscan", "/bin/sshpass", "/bin/start-stop-daemon", "/bin/stdbuf", "/bin/strace", "/bin/strings", "/bin/sysctl", "/bin/systemctl", "/bin/tac", "/bin/tail", "/bin/taskset", "/bin/tbl", "/bin/tclsh", "/bin/tee", "/bin/terraform", "/bin/tftp", "/bin/tic", "/bin/time", "/bin/timeout", "/bin/troff", "/bin/ul", "/bin/unexpand", "/bin/uniq", "/bin/unshare", "/bin/unsquashfs", "/bin/unzip", "/bin/update-alternatives", "/bin/uudecode", "/bin/uuencode", "/bin/vagrant", "/bin/varnishncsa", "/bin/view", "/bin/vigr", "/bin/vim", "/bin/vimdiff", "/bin/vipw", "/bin/w3m", "/bin/watch", "/bin/wc", "/bin/wget", "/bin/whiptail", "/bin/xargs", "/bin/xdotool", "/bin/xmodmap", "/bin/xmore", "/bin/xxd", "/bin/xz", "/bin/yash", "/bin/zsh", "/bin/zsoelim",

  "/usr/bin/aa-exec", "/usr/bin/ab", "/usr/bin/agetty", "/usr/bin/alpine", "/usr/bin/ar", "/usr/bin/arj", "/usr/bin/arp", "/usr/bin/as", "/usr/bin/ascii-xfr", "/usr/bin/ash", "/usr/bin/aspell", "/usr/bin/atobm", "/usr/bin/awk", "/usr/bin/base32", "/usr/bin/base64", "/usr/bin/basenc", "/usr/bin/basez", "/usr/bin/bash", "/usr/bin/bc", "/usr/bin/bridge", "/usr/bin/busctl", "/usr/bin/busybox", "/usr/bin/bzip2", "/usr/bin/cabal", "/usr/bin/capsh", "/usr/bin/cat", "/usr/bin/choom", "/usr/bin/chown", "/usr/bin/chroot", "/usr/bin/clamscan", "/usr/bin/cmp", "/usr/bin/column", "/usr/bin/comm", "/usr/bin/cp", "/usr/bin/cpio", "/usr/bin/cpulimit", "/usr/bin/csh", "/usr/bin/csplit", "/usr/bin/csvtool", "/usr/bin/cupsfilter", "/usr/bin/curl", "/usr/bin/cut", "/usr/bin/dash", "/usr/bin/date", "/usr/bin/dd", "/usr/bin/debugfs", "/usr/bin/dialog", "/usr/bin/diff", "/usr/bin/dig", "/usr/bin/distcc", "/usr/bin/dmsetup", "/usr/bin/docker", "/usr/bin/dosbox", "/usr/bin/ed", "/usr/bin/efax", "/usr/bin/elvish", "/usr/bin/emacs", "/usr/bin/env", "/usr/bin/eqn", "/usr/bin/espeak", "/usr/bin/expand", "/usr/bin/expect", "/usr/bin/file", "/usr/bin/find", "/usr/bin/fish", "/usr/bin/flock", "/usr/bin/fmt", "/usr/bin/fold", "/usr/bin/gawk", "/usr/bin/gcore", "/usr/bin/gdb", "/usr/bin/genie", "/usr/bin/genisoimage", "/usr/bin/gimp", "/usr/bin/grep", "/usr/bin/gtester", "/usr/bin/gzip", "/usr/bin/hd", "/usr/bin/head", "/usr/bin/hexdump", "/usr/bin/highlight", "/usr/bin/hping3", "/usr/bin/iconv", "/usr/bin/install", "/usr/bin/ionice", "/usr/bin/ip", "/usr/bin/ispell", "/usr/bin/jjs", "/usr/bin/join", "/usr/bin/jq", "/usr/bin/jrunscript", "/usr/bin/julia", "/usr/bin/ksh", "/usr/bin/ksshell", "/usr/bin/kubectl", "/usr/bin/ld.so", "/usr/bin/less", "/usr/bin/links", "/usr/bin/logsave", "/usr/bin/look", "/usr/bin/lua", "/usr/bin/make", "/usr/bin/mawk", "/usr/bin/minicom", "/usr/bin/more", "/usr/bin/mosquitto", "/usr/bin/msgattrib", "/usr/bin/msgcat", "/usr/bin/msgconv", "/usr/bin/msgfilter", "/usr/bin/msgmerge", "/usr/bin/msguniq", "/usr/bin/multitime", "/usr/bin/mv", "/usr/bin/nasm", "/usr/bin/nawk", "/usr/bin/ncftp", "/usr/bin/nft", "/usr/bin/nice", "/usr/bin/nl", "/usr/bin/nm", "/usr/bin/nmap", "/usr/bin/node", "/usr/bin/nohup", "/usr/bin/ntpdate", "/usr/bin/od", "/usr/bin/openssl", "/usr/bin/openvpn", "/usr/bin/pandoc", "/usr/bin/paste", "/usr/bin/perf", "/usr/bin/perl", "/usr/bin/pexec", "/usr/bin/pg", "/usr/bin/php", "/usr/bin/pidstat", "/usr/bin/pr", "/usr/bin/ptx", "/usr/bin/python", "/usr/bin/rc", "/usr/bin/readelf", "/usr/bin/restic", "/usr/bin/rev", "/usr/bin/rlwrap", "/usr/bin/rsync", "/usr/bin/rtorrent", "/usr/bin/run-parts", "/usr/bin/rview", "/usr/bin/rvim", "/usr/bin/sash", "/usr/bin/scanmem", "/usr/bin/sed", "/usr/bin/setarch", "/usr/bin/setfacl", "/usr/bin/setlock", "/usr/bin/shuf", "/usr/bin/soelim", "/usr/bin/softlimit", "/usr/bin/sort", "/usr/bin/sqlite3", "/usr/bin/ss", "/usr/bin/ssh-agent", "/usr/bin/ssh-keygen", "/usr/bin/ssh-keyscan", "/usr/bin/sshpass", "/usr/bin/start-stop-daemon", "/usr/bin/stdbuf", "/usr/bin/strace", "/usr/bin/strings", "/usr/bin/sysctl", "/usr/bin/systemctl", "/usr/bin/tac", "/usr/bin/tail", "/usr/bin/taskset", "/usr/bin/tbl", "/usr/bin/tclsh", "/usr/bin/tee", "/usr/bin/terraform", "/usr/bin/tftp", "/usr/bin/tic", "/usr/bin/time", "/usr/bin/timeout", "/usr/bin/troff", "/usr/bin/ul", "/usr/bin/unexpand", "/usr/bin/uniq", "/usr/bin/unshare", "/usr/bin/unsquashfs", "/usr/bin/unzip", "/usr/bin/update-alternatives", "/usr/bin/uudecode", "/usr/bin/uuencode", "/usr/bin/vagrant", "/usr/bin/varnishncsa", "/usr/bin/view", "/usr/bin/vigr", "/usr/bin/vim", "/usr/bin/vimdiff", "/usr/bin/vipw", "/usr/bin/w3m", "/usr/bin/watch", "/usr/bin/wc", "/usr/bin/wget", "/usr/bin/whiptail", "/usr/bin/xargs", "/usr/bin/xdotool", "/usr/bin/xmodmap", "/usr/bin/xmore", "/usr/bin/xxd", "/usr/bin/xz", "/usr/bin/yash", "/usr/bin/zsh", "/usr/bin/zsoelim", 

  "/sbin/aa-exec", "/sbin/ab", "/sbin/agetty", "/sbin/alpine", "/sbin/ar", "/sbin/arj", "/sbin/arp", "/sbin/as", "/sbin/ascii-xfr", "/sbin/ash", "/sbin/aspell", "/sbin/atobm", "/sbin/awk", "/sbin/base32", "/sbin/base64", "/sbin/basenc", "/sbin/basez", "/sbin/bash", "/sbin/bc", "/sbin/bridge", "/sbin/busctl", "/sbin/busybox", "/sbin/bzip2", "/sbin/cabal", "/sbin/capsh", "/sbin/cat", "/sbin/choom", "/sbin/chown", "/sbin/chroot", "/sbin/clamscan", "/sbin/cmp", "/sbin/column", "/sbin/comm", "/sbin/cp", "/sbin/cpio", "/sbin/cpulimit", "/sbin/csh", "/sbin/csplit", "/sbin/csvtool", "/sbin/cupsfilter", "/sbin/curl", "/sbin/cut", "/sbin/dash", "/sbin/date", "/sbin/dd", "/sbin/debugfs", "/sbin/dialog", "/sbin/diff", "/sbin/dig", "/sbin/distcc", "/sbin/dmsetup", "/sbin/docker", "/sbin/dosbox", "/sbin/ed", "/sbin/efax", "/sbin/elvish", "/sbin/emacs", "/sbin/env", "/sbin/eqn", "/sbin/espeak", "/sbin/expand", "/sbin/expect", "/sbin/file", "/sbin/find", "/sbin/fish", "/sbin/flock", "/sbin/fmt", "/sbin/fold", "/sbin/gawk", "/sbin/gcore", "/sbin/gdb", "/sbin/genie", "/sbin/genisoimage", "/sbin/gimp", "/sbin/grep", "/sbin/gtester", "/sbin/gzip", "/sbin/hd", "/sbin/head", "/sbin/hexdump", "/sbin/highlight", "/sbin/hping3", "/sbin/iconv", "/sbin/install", "/sbin/ionice", "/sbin/ip", "/sbin/ispell", "/sbin/jjs", "/sbin/join", "/sbin/jq", "/sbin/jrunscript", "/sbin/julia", "/sbin/ksh", "/sbin/ksshell", "/sbin/kubectl", "/sbin/ld.so", "/sbin/less", "/sbin/links", "/sbin/logsave", "/sbin/look", "/sbin/lua", "/sbin/make", "/sbin/mawk", "/sbin/minicom", "/sbin/more", "/sbin/mosquitto", "/sbin/msgattrib", "/sbin/msgcat", "/sbin/msgconv", "/sbin/msgfilter", "/sbin/msgmerge", "/sbin/msguniq", "/sbin/multitime", "/sbin/mv", "/sbin/nasm", "/sbin/nawk", "/sbin/ncftp", "/sbin/nft", "/sbin/nice", "/sbin/nl", "/sbin/nm", "/sbin/nmap", "/sbin/node", "/sbin/nohup", "/sbin/ntpdate", "/sbin/od", "/sbin/openssl", "/sbin/openvpn", "/sbin/pandoc", "/sbin/paste", "/sbin/perf", "/sbin/perl", "/sbin/pexec", "/sbin/pg", "/sbin/php", "/sbin/pidstat", "/sbin/pr", "/sbin/ptx", "/sbin/python", "/sbin/rc", "/sbin/readelf", "/sbin/restic", "/sbin/rev", "/sbin/rlwrap", "/sbin/rsync", "/sbin/rtorrent", "/sbin/run-parts", "/sbin/rview", "/sbin/rvim", "/sbin/sash", "/sbin/scanmem", "/sbin/sed", "/sbin/setarch", "/sbin/setfacl", "/sbin/setlock", "/sbin/shuf", "/sbin/soelim", "/sbin/softlimit", "/sbin/sort", "/sbin/sqlite3", "/sbin/ss", "/sbin/ssh-agent", "/sbin/ssh-keygen", "/sbin/ssh-keyscan", "/sbin/sshpass", "/sbin/start-stop-daemon", "/sbin/stdbuf", "/sbin/strace", "/sbin/strings", "/sbin/sysctl", "/sbin/systemctl", "/sbin/tac", "/sbin/tail", "/sbin/taskset", "/sbin/tbl", "/sbin/tclsh", "/sbin/tee", "/sbin/terraform", "/sbin/tftp", "/sbin/tic", "/sbin/time", "/sbin/timeout", "/sbin/troff", "/sbin/ul", "/sbin/unexpand", "/sbin/uniq", "/sbin/unshare", "/sbin/unsquashfs", "/sbin/unzip", "/sbin/update-alternatives", "/sbin/uudecode", "/sbin/uuencode", "/sbin/vagrant", "/sbin/varnishncsa", "/sbin/view", "/sbin/vigr", "/sbin/vim", "/sbin/vimdiff", "/sbin/vipw", "/sbin/w3m", "/sbin/watch", "/sbin/wc", "/sbin/wget", "/sbin/whiptail", "/sbin/xargs", "/sbin/xdotool", "/sbin/xmodmap", "/sbin/xmore", "/sbin/xxd", "/sbin/xz", "/sbin/yash", "/sbin/zsh", "/sbin/zsoelim",

  "/usr/sbin/aa-exec", "/usr/sbin/ab", "/usr/sbin/agetty", "/usr/sbin/alpine", "/usr/sbin/ar", "/usr/sbin/arj", "/usr/sbin/arp", "/usr/sbin/as", "/usr/sbin/ascii-xfr", "/usr/sbin/ash", "/usr/sbin/aspell", "/usr/sbin/atobm", "/usr/sbin/awk", "/usr/sbin/base32", "/usr/sbin/base64", "/usr/sbin/basenc", "/usr/sbin/basez", "/usr/sbin/bash", "/usr/sbin/bc", "/usr/sbin/bridge", "/usr/sbin/busctl", "/usr/sbin/busybox", "/usr/sbin/bzip2", "/usr/sbin/cabal", "/usr/sbin/capsh", "/usr/sbin/cat", "/usr/sbin/chmod", "/usr/sbin/choom", "/usr/sbin/chown", "/usr/sbin/chroot", "/usr/sbin/clamscan", "/usr/sbin/cmp", "/usr/sbin/column", "/usr/sbin/comm", "/usr/sbin/cp", "/usr/sbin/cpio", "/usr/sbin/cpulimit", "/usr/sbin/csh", "/usr/sbin/csplit", "/usr/sbin/csvtool", "/usr/sbin/cupsfilter", "/usr/sbin/curl", "/usr/sbin/cut", "/usr/sbin/dash", "/usr/sbin/date", "/usr/sbin/dd", "/usr/sbin/debugfs", "/usr/sbin/dialog", "/usr/sbin/diff", "/usr/sbin/dig", "/usr/sbin/distcc", "/usr/sbin/dmsetup", "/usr/sbin/docker", "/usr/sbin/dosbox", "/usr/sbin/ed", "/usr/sbin/efax", "/usr/sbin/elvish", "/usr/sbin/emacs", "/usr/sbin/env", "/usr/sbin/eqn", "/usr/sbin/espeak", "/usr/sbin/expand", "/usr/sbin/expect", "/usr/sbin/file", "/usr/sbin/find", "/usr/sbin/fish", "/usr/sbin/flock", "/usr/sbin/fmt", "/usr/sbin/fold", "/usr/sbin/gawk", "/usr/sbin/gcore", "/usr/sbin/gdb", "/usr/sbin/genie", "/usr/sbin/genisoimage", "/usr/sbin/gimp", "/usr/sbin/grep", "/usr/sbin/gtester", "/usr/sbin/gzip", "/usr/sbin/hd", "/usr/sbin/head", "/usr/sbin/hexdump", "/usr/sbin/highlight", "/usr/sbin/hping3", "/usr/sbin/iconv", "/usr/sbin/install", "/usr/sbin/ionice", "/usr/sbin/ip", "/usr/sbin/ispell", "/usr/sbin/jjs", "/usr/sbin/join", "/usr/sbin/jq", "/usr/sbin/jrunscript", "/usr/sbin/julia", "/usr/sbin/ksh", "/usr/sbin/ksshell", "/usr/sbin/kubectl", "/usr/sbin/ld.so", "/usr/sbin/less", "/usr/sbin/links", "/usr/sbin/logsave", "/usr/sbin/look", "/usr/sbin/lua", "/usr/sbin/make", "/usr/sbin/mawk", "/usr/sbin/minicom", "/usr/sbin/more", "/usr/sbin/mosquitto", "/usr/sbin/msgattrib", "/usr/sbin/msgcat", "/usr/sbin/msgconv", "/usr/sbin/msgfilter", "/usr/sbin/msgmerge", "/usr/sbin/msguniq", "/usr/sbin/multitime", "/usr/sbin/mv", "/usr/sbin/nasm", "/usr/sbin/nawk", "/usr/sbin/ncftp", "/usr/sbin/nft", "/usr/sbin/nice", "/usr/sbin/nl", "/usr/sbin/nm", "/usr/sbin/nmap", "/usr/sbin/node", "/usr/sbin/nohup", "/usr/sbin/ntpdate", "/usr/sbin/od", "/usr/sbin/openssl", "/usr/sbin/openvpn", "/usr/sbin/pandoc", "/usr/sbin/paste", "/usr/sbin/perf", "/usr/sbin/perl", "/usr/sbin/pexec", "/usr/sbin/pg", "/usr/sbin/php", "/usr/sbin/pidstat", "/usr/sbin/pr", "/usr/sbin/ptx", "/usr/sbin/python", "/usr/sbin/rc", "/usr/sbin/readelf", "/usr/sbin/restic", "/usr/sbin/rev", "/usr/sbin/rlwrap", "/usr/sbin/rsync", "/usr/sbin/rtorrent", "/usr/sbin/run-parts", "/usr/sbin/rview", "/usr/sbin/rvim", "/usr/sbin/sash", "/usr/sbin/scanmem", "/usr/sbin/sed", "/usr/sbin/setarch", "/usr/sbin/setfacl", "/usr/sbin/setlock", "/usr/sbin/shuf", "/usr/sbin/soelim", "/usr/sbin/softlimit", "/usr/sbin/sort", "/usr/sbin/sqlite3", "/usr/sbin/ss", "/usr/sbin/ssh-agent", "/usr/sbin/ssh-keygen", "/usr/sbin/ssh-keyscan", "/usr/sbin/sshpass", "/usr/sbin/start-stop-daemon", "/usr/sbin/stdbuf", "/usr/sbin/strace", "/usr/sbin/strings", "/usr/sbin/sysctl", "/usr/sbin/systemctl", "/usr/sbin/tac", "/usr/sbin/tail", "/usr/sbin/taskset", "/usr/sbin/tbl", "/usr/sbin/tclsh", "/usr/sbin/tee", "/usr/sbin/terraform", "/usr/sbin/tftp", "/usr/sbin/tic", "/usr/sbin/time", "/usr/sbin/timeout", "/usr/sbin/troff", "/usr/sbin/ul", "/usr/sbin/unexpand", "/usr/sbin/uniq", "/usr/sbin/unshare", "/usr/sbin/unsquashfs", "/usr/sbin/unzip", "/usr/sbin/update-alternatives", "/usr/sbin/uudecode", "/usr/sbin/uuencode", "/usr/sbin/vagrant", "/usr/sbin/varnishncsa", "/usr/sbin/view", "/usr/sbin/vigr", "/usr/sbin/vim", "/usr/sbin/vimdiff", "/usr/sbin/vipw", "/usr/sbin/w3m", "/usr/sbin/watch", "/usr/sbin/wc", "/usr/sbin/wget", "/usr/sbin/whiptail", "/usr/sbin/xargs", "/usr/sbin/xdotool", "/usr/sbin/xmodmap", "/usr/sbin/xmore", "/usr/sbin/xxd", "/usr/sbin/xz", "/usr/sbin/yash", "/usr/sbin/zsh", "/usr/sbin/zsoelim"
  )
) and
not process.parent.name == "openssh-client.postinst"
image

SUID privileges granted to GTFOBin

We can also check for SUID permissions being granted to a suspicious binary through a whitelist:

Last year telemetry only 1 hit, which is a TP.

process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name == "chmod" and process.args : ("4*", "2*", "6*", "u+s", "g+s", "+s") and process.parent.name != null and process.args in (
    "aa-exec", "ab", "agetty", "alpine", "ar", "arj", "arp", "as", "ascii-xfr", "ash", "aspell", "atobm", "awk", "base32", "base64", "basenc", "basez", "bash", "bc", "bridge", "busctl", "busybox", "bzip2", "cabal", "capsh", "cat", "choom", "chown", "chroot", "clamscan", "cmp", "column", "comm", "cp", "cpio", "cpulimit", "csh", "csplit", "csvtool", "cupsfilter", "curl", "cut", "dash", "date", "dd", "debugfs", "dialog", "diff", "dig", "distcc", "dmsetup", "docker", "dosbox", "ed", "efax", "elvish", "emacs", "env", "eqn", "espeak", "expand", "expect", "file", "find", "fish", "flock", "fmt", "fold", "gawk", "gcore", "gdb", "genie", "genisoimage", "gimp", "grep", "gtester", "gzip", "hd", "head", "hexdump", "highlight", "hping3", "iconv", "install", "ionice", "ip", "ispell", "jjs", "join", "jq", "jrunscript", "julia", "ksh", "ksshell", "kubectl", "ld.so", "less", "links", "logsave", "look", "lua", "make", "mawk", "minicom", "more", "mosquitto", "msgattrib", "msgcat", "msgconv", "msgfilter", "msgmerge", "msguniq", "multitime", "mv", "nasm", "nawk", "ncftp", "nft", "nice", "nl", "nm", "nmap", "node", "nohup", "ntpdate", "od", "openssl", "openvpn", "pandoc", "paste", "perf", "perl", "pexec", "pg", "php", "pidstat", "pr", "ptx", "python", "rc", "readelf", "restic", "rev", "rlwrap", "rsync", "rtorrent", "run-parts", "rview", "rvim", "sash", "scanmem", "sed", "setarch", "setfacl", "setlock", "shuf", "soelim", "softlimit", "sort", "sqlite3", "ss", "ssh-agent", "ssh-keygen", "ssh-keyscan", "sshpass", "start-stop-daemon", "stdbuf", "strace", "strings", "sysctl", "systemctl", "tac", "tail", "taskset", "tbl", "tclsh", "tee", "terraform", "tftp", "tic", "time", "timeout", "troff", "ul", "unexpand", "uniq", "unshare", "unsquashfs", "unzip", "update-alternatives", "uudecode", "uuencode", "vagrant", "varnishncsa", "view", "vigr", "vim", "vimdiff", "vipw", "w3m", "watch", "wc", "wget", "whiptail", "xargs", "xdotool", "xmodmap", "xmore", "xxd", "xz", "yash", "zsh", "zsoelim", 

  "/bin/aa-exec", "/bin/ab", "/bin/agetty", "/bin/alpine", "/bin/ar", "/bin/arj", "/bin/arp", "/bin/as", "/bin/ascii-xfr", "/bin/ash", "/bin/aspell", "/bin/atobm", "/bin/awk", "/bin/base32", "/bin/base64", "/bin/basenc", "/bin/basez", "/bin/bash", "/bin/bc", "/bin/bridge", "/bin/busctl", "/bin/busybox", "/bin/bzip2", "/bin/cabal", "/bin/capsh", "/bin/cat", "/bin/choom", "/bin/chown", "/bin/chroot", "/bin/clamscan", "/bin/cmp", "/bin/column", "/bin/comm", "/bin/cp", "/bin/cpio", "/bin/cpulimit", "/bin/csh", "/bin/csplit", "/bin/csvtool", "/bin/cupsfilter", "/bin/curl", "/bin/cut", "/bin/dash", "/bin/date", "/bin/dd", "/bin/debugfs", "/bin/dialog", "/bin/diff", "/bin/dig", "/bin/distcc", "/bin/dmsetup", "/bin/docker", "/bin/dosbox", "/bin/ed", "/bin/efax", "/bin/elvish", "/bin/emacs", "/bin/env", "/bin/eqn", "/bin/espeak", "/bin/expand", "/bin/expect", "/bin/file", "/bin/find", "/bin/fish", "/bin/flock", "/bin/fmt", "/bin/fold", "/bin/gawk", "/bin/gcore", "/bin/gdb", "/bin/genie", "/bin/genisoimage", "/bin/gimp", "/bin/grep", "/bin/gtester", "/bin/gzip", "/bin/hd", "/bin/head", "/bin/hexdump", "/bin/highlight", "/bin/hping3", "/bin/iconv", "/bin/install", "/bin/ionice", "/bin/ip", "/bin/ispell", "/bin/jjs", "/bin/join", "/bin/jq", "/bin/jrunscript", "/bin/julia", "/bin/ksh", "/bin/ksshell", "/bin/kubectl", "/bin/ld.so", "/bin/less", "/bin/links", "/bin/logsave", "/bin/look", "/bin/lua", "/bin/make", "/bin/mawk", "/bin/minicom", "/bin/more", "/bin/mosquitto", "/bin/msgattrib", "/bin/msgcat", "/bin/msgconv", "/bin/msgfilter", "/bin/msgmerge", "/bin/msguniq", "/bin/multitime", "/bin/mv", "/bin/nasm", "/bin/nawk", "/bin/ncftp", "/bin/nft", "/bin/nice", "/bin/nl", "/bin/nm", "/bin/nmap", "/bin/node", "/bin/nohup", "/bin/ntpdate", "/bin/od", "/bin/openssl", "/bin/openvpn", "/bin/pandoc", "/bin/paste", "/bin/perf", "/bin/perl", "/bin/pexec", "/bin/pg", "/bin/php", "/bin/pidstat", "/bin/pr", "/bin/ptx", "/bin/python", "/bin/rc", "/bin/readelf", "/bin/restic", "/bin/rev", "/bin/rlwrap", "/bin/rsync", "/bin/rtorrent", "/bin/run-parts", "/bin/rview", "/bin/rvim", "/bin/sash", "/bin/scanmem", "/bin/sed", "/bin/setarch", "/bin/setfacl", "/bin/setlock", "/bin/shuf", "/bin/soelim", "/bin/softlimit", "/bin/sort", "/bin/sqlite3", "/bin/ss", "/bin/ssh-agent", "/bin/ssh-keygen", "/bin/ssh-keyscan", "/bin/sshpass", "/bin/start-stop-daemon", "/bin/stdbuf", "/bin/strace", "/bin/strings", "/bin/sysctl", "/bin/systemctl", "/bin/tac", "/bin/tail", "/bin/taskset", "/bin/tbl", "/bin/tclsh", "/bin/tee", "/bin/terraform", "/bin/tftp", "/bin/tic", "/bin/time", "/bin/timeout", "/bin/troff", "/bin/ul", "/bin/unexpand", "/bin/uniq", "/bin/unshare", "/bin/unsquashfs", "/bin/unzip", "/bin/update-alternatives", "/bin/uudecode", "/bin/uuencode", "/bin/vagrant", "/bin/varnishncsa", "/bin/view", "/bin/vigr", "/bin/vim", "/bin/vimdiff", "/bin/vipw", "/bin/w3m", "/bin/watch", "/bin/wc", "/bin/wget", "/bin/whiptail", "/bin/xargs", "/bin/xdotool", "/bin/xmodmap", "/bin/xmore", "/bin/xxd", "/bin/xz", "/bin/yash", "/bin/zsh", "/bin/zsoelim",

  "/usr/bin/aa-exec", "/usr/bin/ab", "/usr/bin/agetty", "/usr/bin/alpine", "/usr/bin/ar", "/usr/bin/arj", "/usr/bin/arp", "/usr/bin/as", "/usr/bin/ascii-xfr", "/usr/bin/ash", "/usr/bin/aspell", "/usr/bin/atobm", "/usr/bin/awk", "/usr/bin/base32", "/usr/bin/base64", "/usr/bin/basenc", "/usr/bin/basez", "/usr/bin/bash", "/usr/bin/bc", "/usr/bin/bridge", "/usr/bin/busctl", "/usr/bin/busybox", "/usr/bin/bzip2", "/usr/bin/cabal", "/usr/bin/capsh", "/usr/bin/cat", "/usr/bin/choom", "/usr/bin/chown", "/usr/bin/chroot", "/usr/bin/clamscan", "/usr/bin/cmp", "/usr/bin/column", "/usr/bin/comm", "/usr/bin/cp", "/usr/bin/cpio", "/usr/bin/cpulimit", "/usr/bin/csh", "/usr/bin/csplit", "/usr/bin/csvtool", "/usr/bin/cupsfilter", "/usr/bin/curl", "/usr/bin/cut", "/usr/bin/dash", "/usr/bin/date", "/usr/bin/dd", "/usr/bin/debugfs", "/usr/bin/dialog", "/usr/bin/diff", "/usr/bin/dig", "/usr/bin/distcc", "/usr/bin/dmsetup", "/usr/bin/docker", "/usr/bin/dosbox", "/usr/bin/ed", "/usr/bin/efax", "/usr/bin/elvish", "/usr/bin/emacs", "/usr/bin/env", "/usr/bin/eqn", "/usr/bin/espeak", "/usr/bin/expand", "/usr/bin/expect", "/usr/bin/file", "/usr/bin/find", "/usr/bin/fish", "/usr/bin/flock", "/usr/bin/fmt", "/usr/bin/fold", "/usr/bin/gawk", "/usr/bin/gcore", "/usr/bin/gdb", "/usr/bin/genie", "/usr/bin/genisoimage", "/usr/bin/gimp", "/usr/bin/grep", "/usr/bin/gtester", "/usr/bin/gzip", "/usr/bin/hd", "/usr/bin/head", "/usr/bin/hexdump", "/usr/bin/highlight", "/usr/bin/hping3", "/usr/bin/iconv", "/usr/bin/install", "/usr/bin/ionice", "/usr/bin/ip", "/usr/bin/ispell", "/usr/bin/jjs", "/usr/bin/join", "/usr/bin/jq", "/usr/bin/jrunscript", "/usr/bin/julia", "/usr/bin/ksh", "/usr/bin/ksshell", "/usr/bin/kubectl", "/usr/bin/ld.so", "/usr/bin/less", "/usr/bin/links", "/usr/bin/logsave", "/usr/bin/look", "/usr/bin/lua", "/usr/bin/make", "/usr/bin/mawk", "/usr/bin/minicom", "/usr/bin/more", "/usr/bin/mosquitto", "/usr/bin/msgattrib", "/usr/bin/msgcat", "/usr/bin/msgconv", "/usr/bin/msgfilter", "/usr/bin/msgmerge", "/usr/bin/msguniq", "/usr/bin/multitime", "/usr/bin/mv", "/usr/bin/nasm", "/usr/bin/nawk", "/usr/bin/ncftp", "/usr/bin/nft", "/usr/bin/nice", "/usr/bin/nl", "/usr/bin/nm", "/usr/bin/nmap", "/usr/bin/node", "/usr/bin/nohup", "/usr/bin/ntpdate", "/usr/bin/od", "/usr/bin/openssl", "/usr/bin/openvpn", "/usr/bin/pandoc", "/usr/bin/paste", "/usr/bin/perf", "/usr/bin/perl", "/usr/bin/pexec", "/usr/bin/pg", "/usr/bin/php", "/usr/bin/pidstat", "/usr/bin/pr", "/usr/bin/ptx", "/usr/bin/python", "/usr/bin/rc", "/usr/bin/readelf", "/usr/bin/restic", "/usr/bin/rev", "/usr/bin/rlwrap", "/usr/bin/rsync", "/usr/bin/rtorrent", "/usr/bin/run-parts", "/usr/bin/rview", "/usr/bin/rvim", "/usr/bin/sash", "/usr/bin/scanmem", "/usr/bin/sed", "/usr/bin/setarch", "/usr/bin/setfacl", "/usr/bin/setlock", "/usr/bin/shuf", "/usr/bin/soelim", "/usr/bin/softlimit", "/usr/bin/sort", "/usr/bin/sqlite3", "/usr/bin/ss", "/usr/bin/ssh-agent", "/usr/bin/ssh-keygen", "/usr/bin/ssh-keyscan", "/usr/bin/sshpass", "/usr/bin/start-stop-daemon", "/usr/bin/stdbuf", "/usr/bin/strace", "/usr/bin/strings", "/usr/bin/sysctl", "/usr/bin/systemctl", "/usr/bin/tac", "/usr/bin/tail", "/usr/bin/taskset", "/usr/bin/tbl", "/usr/bin/tclsh", "/usr/bin/tee", "/usr/bin/terraform", "/usr/bin/tftp", "/usr/bin/tic", "/usr/bin/time", "/usr/bin/timeout", "/usr/bin/troff", "/usr/bin/ul", "/usr/bin/unexpand", "/usr/bin/uniq", "/usr/bin/unshare", "/usr/bin/unsquashfs", "/usr/bin/unzip", "/usr/bin/update-alternatives", "/usr/bin/uudecode", "/usr/bin/uuencode", "/usr/bin/vagrant", "/usr/bin/varnishncsa", "/usr/bin/view", "/usr/bin/vigr", "/usr/bin/vim", "/usr/bin/vimdiff", "/usr/bin/vipw", "/usr/bin/w3m", "/usr/bin/watch", "/usr/bin/wc", "/usr/bin/wget", "/usr/bin/whiptail", "/usr/bin/xargs", "/usr/bin/xdotool", "/usr/bin/xmodmap", "/usr/bin/xmore", "/usr/bin/xxd", "/usr/bin/xz", "/usr/bin/yash", "/usr/bin/zsh", "/usr/bin/zsoelim", 

  "/sbin/aa-exec", "/sbin/ab", "/sbin/agetty", "/sbin/alpine", "/sbin/ar", "/sbin/arj", "/sbin/arp", "/sbin/as", "/sbin/ascii-xfr", "/sbin/ash", "/sbin/aspell", "/sbin/atobm", "/sbin/awk", "/sbin/base32", "/sbin/base64", "/sbin/basenc", "/sbin/basez", "/sbin/bash", "/sbin/bc", "/sbin/bridge", "/sbin/busctl", "/sbin/busybox", "/sbin/bzip2", "/sbin/cabal", "/sbin/capsh", "/sbin/cat", "/sbin/choom", "/sbin/chown", "/sbin/chroot", "/sbin/clamscan", "/sbin/cmp", "/sbin/column", "/sbin/comm", "/sbin/cp", "/sbin/cpio", "/sbin/cpulimit", "/sbin/csh", "/sbin/csplit", "/sbin/csvtool", "/sbin/cupsfilter", "/sbin/curl", "/sbin/cut", "/sbin/dash", "/sbin/date", "/sbin/dd", "/sbin/debugfs", "/sbin/dialog", "/sbin/diff", "/sbin/dig", "/sbin/distcc", "/sbin/dmsetup", "/sbin/docker", "/sbin/dosbox", "/sbin/ed", "/sbin/efax", "/sbin/elvish", "/sbin/emacs", "/sbin/env", "/sbin/eqn", "/sbin/espeak", "/sbin/expand", "/sbin/expect", "/sbin/file", "/sbin/find", "/sbin/fish", "/sbin/flock", "/sbin/fmt", "/sbin/fold", "/sbin/gawk", "/sbin/gcore", "/sbin/gdb", "/sbin/genie", "/sbin/genisoimage", "/sbin/gimp", "/sbin/grep", "/sbin/gtester", "/sbin/gzip", "/sbin/hd", "/sbin/head", "/sbin/hexdump", "/sbin/highlight", "/sbin/hping3", "/sbin/iconv", "/sbin/install", "/sbin/ionice", "/sbin/ip", "/sbin/ispell", "/sbin/jjs", "/sbin/join", "/sbin/jq", "/sbin/jrunscript", "/sbin/julia", "/sbin/ksh", "/sbin/ksshell", "/sbin/kubectl", "/sbin/ld.so", "/sbin/less", "/sbin/links", "/sbin/logsave", "/sbin/look", "/sbin/lua", "/sbin/make", "/sbin/mawk", "/sbin/minicom", "/sbin/more", "/sbin/mosquitto", "/sbin/msgattrib", "/sbin/msgcat", "/sbin/msgconv", "/sbin/msgfilter", "/sbin/msgmerge", "/sbin/msguniq", "/sbin/multitime", "/sbin/mv", "/sbin/nasm", "/sbin/nawk", "/sbin/ncftp", "/sbin/nft", "/sbin/nice", "/sbin/nl", "/sbin/nm", "/sbin/nmap", "/sbin/node", "/sbin/nohup", "/sbin/ntpdate", "/sbin/od", "/sbin/openssl", "/sbin/openvpn", "/sbin/pandoc", "/sbin/paste", "/sbin/perf", "/sbin/perl", "/sbin/pexec", "/sbin/pg", "/sbin/php", "/sbin/pidstat", "/sbin/pr", "/sbin/ptx", "/sbin/python", "/sbin/rc", "/sbin/readelf", "/sbin/restic", "/sbin/rev", "/sbin/rlwrap", "/sbin/rsync", "/sbin/rtorrent", "/sbin/run-parts", "/sbin/rview", "/sbin/rvim", "/sbin/sash", "/sbin/scanmem", "/sbin/sed", "/sbin/setarch", "/sbin/setfacl", "/sbin/setlock", "/sbin/shuf", "/sbin/soelim", "/sbin/softlimit", "/sbin/sort", "/sbin/sqlite3", "/sbin/ss", "/sbin/ssh-agent", "/sbin/ssh-keygen", "/sbin/ssh-keyscan", "/sbin/sshpass", "/sbin/start-stop-daemon", "/sbin/stdbuf", "/sbin/strace", "/sbin/strings", "/sbin/sysctl", "/sbin/systemctl", "/sbin/tac", "/sbin/tail", "/sbin/taskset", "/sbin/tbl", "/sbin/tclsh", "/sbin/tee", "/sbin/terraform", "/sbin/tftp", "/sbin/tic", "/sbin/time", "/sbin/timeout", "/sbin/troff", "/sbin/ul", "/sbin/unexpand", "/sbin/uniq", "/sbin/unshare", "/sbin/unsquashfs", "/sbin/unzip", "/sbin/update-alternatives", "/sbin/uudecode", "/sbin/uuencode", "/sbin/vagrant", "/sbin/varnishncsa", "/sbin/view", "/sbin/vigr", "/sbin/vim", "/sbin/vimdiff", "/sbin/vipw", "/sbin/w3m", "/sbin/watch", "/sbin/wc", "/sbin/wget", "/sbin/whiptail", "/sbin/xargs", "/sbin/xdotool", "/sbin/xmodmap", "/sbin/xmore", "/sbin/xxd", "/sbin/xz", "/sbin/yash", "/sbin/zsh", "/sbin/zsoelim",

  "/usr/sbin/aa-exec", "/usr/sbin/ab", "/usr/sbin/agetty", "/usr/sbin/alpine", "/usr/sbin/ar", "/usr/sbin/arj", "/usr/sbin/arp", "/usr/sbin/as", "/usr/sbin/ascii-xfr", "/usr/sbin/ash", "/usr/sbin/aspell", "/usr/sbin/atobm", "/usr/sbin/awk", "/usr/sbin/base32", "/usr/sbin/base64", "/usr/sbin/basenc", "/usr/sbin/basez", "/usr/sbin/bash", "/usr/sbin/bc", "/usr/sbin/bridge", "/usr/sbin/busctl", "/usr/sbin/busybox", "/usr/sbin/bzip2", "/usr/sbin/cabal", "/usr/sbin/capsh", "/usr/sbin/cat", "/usr/sbin/chmod", "/usr/sbin/choom", "/usr/sbin/chown", "/usr/sbin/chroot", "/usr/sbin/clamscan", "/usr/sbin/cmp", "/usr/sbin/column", "/usr/sbin/comm", "/usr/sbin/cp", "/usr/sbin/cpio", "/usr/sbin/cpulimit", "/usr/sbin/csh", "/usr/sbin/csplit", "/usr/sbin/csvtool", "/usr/sbin/cupsfilter", "/usr/sbin/curl", "/usr/sbin/cut", "/usr/sbin/dash", "/usr/sbin/date", "/usr/sbin/dd", "/usr/sbin/debugfs", "/usr/sbin/dialog", "/usr/sbin/diff", "/usr/sbin/dig", "/usr/sbin/distcc", "/usr/sbin/dmsetup", "/usr/sbin/docker", "/usr/sbin/dosbox", "/usr/sbin/ed", "/usr/sbin/efax", "/usr/sbin/elvish", "/usr/sbin/emacs", "/usr/sbin/env", "/usr/sbin/eqn", "/usr/sbin/espeak", "/usr/sbin/expand", "/usr/sbin/expect", "/usr/sbin/file", "/usr/sbin/find", "/usr/sbin/fish", "/usr/sbin/flock", "/usr/sbin/fmt", "/usr/sbin/fold", "/usr/sbin/gawk", "/usr/sbin/gcore", "/usr/sbin/gdb", "/usr/sbin/genie", "/usr/sbin/genisoimage", "/usr/sbin/gimp", "/usr/sbin/grep", "/usr/sbin/gtester", "/usr/sbin/gzip", "/usr/sbin/hd", "/usr/sbin/head", "/usr/sbin/hexdump", "/usr/sbin/highlight", "/usr/sbin/hping3", "/usr/sbin/iconv", "/usr/sbin/install", "/usr/sbin/ionice", "/usr/sbin/ip", "/usr/sbin/ispell", "/usr/sbin/jjs", "/usr/sbin/join", "/usr/sbin/jq", "/usr/sbin/jrunscript", "/usr/sbin/julia", "/usr/sbin/ksh", "/usr/sbin/ksshell", "/usr/sbin/kubectl", "/usr/sbin/ld.so", "/usr/sbin/less", "/usr/sbin/links", "/usr/sbin/logsave", "/usr/sbin/look", "/usr/sbin/lua", "/usr/sbin/make", "/usr/sbin/mawk", "/usr/sbin/minicom", "/usr/sbin/more", "/usr/sbin/mosquitto", "/usr/sbin/msgattrib", "/usr/sbin/msgcat", "/usr/sbin/msgconv", "/usr/sbin/msgfilter", "/usr/sbin/msgmerge", "/usr/sbin/msguniq", "/usr/sbin/multitime", "/usr/sbin/mv", "/usr/sbin/nasm", "/usr/sbin/nawk", "/usr/sbin/ncftp", "/usr/sbin/nft", "/usr/sbin/nice", "/usr/sbin/nl", "/usr/sbin/nm", "/usr/sbin/nmap", "/usr/sbin/node", "/usr/sbin/nohup", "/usr/sbin/ntpdate", "/usr/sbin/od", "/usr/sbin/openssl", "/usr/sbin/openvpn", "/usr/sbin/pandoc", "/usr/sbin/paste", "/usr/sbin/perf", "/usr/sbin/perl", "/usr/sbin/pexec", "/usr/sbin/pg", "/usr/sbin/php", "/usr/sbin/pidstat", "/usr/sbin/pr", "/usr/sbin/ptx", "/usr/sbin/python", "/usr/sbin/rc", "/usr/sbin/readelf", "/usr/sbin/restic", "/usr/sbin/rev", "/usr/sbin/rlwrap", "/usr/sbin/rsync", "/usr/sbin/rtorrent", "/usr/sbin/run-parts", "/usr/sbin/rview", "/usr/sbin/rvim", "/usr/sbin/sash", "/usr/sbin/scanmem", "/usr/sbin/sed", "/usr/sbin/setarch", "/usr/sbin/setfacl", "/usr/sbin/setlock", "/usr/sbin/shuf", "/usr/sbin/soelim", "/usr/sbin/softlimit", "/usr/sbin/sort", "/usr/sbin/sqlite3", "/usr/sbin/ss", "/usr/sbin/ssh-agent", "/usr/sbin/ssh-keygen", "/usr/sbin/ssh-keyscan", "/usr/sbin/sshpass", "/usr/sbin/start-stop-daemon", "/usr/sbin/stdbuf", "/usr/sbin/strace", "/usr/sbin/strings", "/usr/sbin/sysctl", "/usr/sbin/systemctl", "/usr/sbin/tac", "/usr/sbin/tail", "/usr/sbin/taskset", "/usr/sbin/tbl", "/usr/sbin/tclsh", "/usr/sbin/tee", "/usr/sbin/terraform", "/usr/sbin/tftp", "/usr/sbin/tic", "/usr/sbin/time", "/usr/sbin/timeout", "/usr/sbin/troff", "/usr/sbin/ul", "/usr/sbin/unexpand", "/usr/sbin/uniq", "/usr/sbin/unshare", "/usr/sbin/unsquashfs", "/usr/sbin/unzip", "/usr/sbin/update-alternatives", "/usr/sbin/uudecode", "/usr/sbin/uuencode", "/usr/sbin/vagrant", "/usr/sbin/varnishncsa", "/usr/sbin/view", "/usr/sbin/vigr", "/usr/sbin/vim", "/usr/sbin/vimdiff", "/usr/sbin/vipw", "/usr/sbin/w3m", "/usr/sbin/watch", "/usr/sbin/wc", "/usr/sbin/wget", "/usr/sbin/whiptail", "/usr/sbin/xargs", "/usr/sbin/xdotool", "/usr/sbin/xmodmap", "/usr/sbin/xmore", "/usr/sbin/xxd", "/usr/sbin/xz", "/usr/sbin/yash", "/usr/sbin/zsh", "/usr/sbin/zsoelim"
) and
not process.parent.name == "openssh-client.postinst"
image
Aegrah commented 4 months ago

For now these are hardcoded for all /bin, /usr/bin, /sbin/, /usr/sbin paths. Looking to see whether I can leverage the genome project with benign ELF samples to only specify paths that exist in a distribution, which would allow for a more performant query.