Shell Execution via Flock - Linux

Title: Shell Execution via Flock - Linux
Status: experimental
Description:Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
References:
  -https://gtfobins.github.io/gtfobins/flock/#shell
  -https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
Date: 2024-09-02
modified:None
Tags:

• -'attack.discovery'
• -'attack.t1083'

Logsource:

• category: process_creation
• product: linux

Detection:
  selection_img:
    Image|endswith: '/flock'
    CommandLine|contains: ' -u '
  selection_cli:
    CommandLine|contains:
      -'/bin/bash'
      -'/bin/dash'
      -'/bin/fish'
      -'/bin/sh'
      -'/bin/zsh'

  condition:all of selection_*
Falsepositives:
  -Unknown
Level: high