Shell Execution via Nice - Linux

Original Source: [Sigma source]
Title: Shell Execution via Nice - Linux
Status: experimental
Description:Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
References:
  -https://gtfobins.github.io/gtfobins/nice/#shell
   -https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
 Author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
Date: 2024-09-02
modified:None
Tags:
  • -'attack.discovery'
  • -'attack.t1083'
Logsource:
  • category: process_creation
  • product: linux
Detection:
  selection:
    Image|endswith: '/nice'
    CommandLine|endswith:
      -'/bin/bash'
      -'/bin/dash'
      -'/bin/fish'
      -'/bin/sh'
      -'/bin/zsh'

  condition:selection
Falsepositives:
  -Unknown
Level: high

© 2024 DetectionCode Website. All Rights Reserved.