
Summary
This detection rule identifies the invocation of a shell using the 'capsh' command in Linux. The 'capsh' utility is a powerful tool that can be used to create a new shell with varying capabilities. Attackers might exploit this functionality to bypass security restrictions and gain unauthorized access to the system. The rule looks for processes where the image name ends with '/capsh' and the command line concludes with ' --', which indicates a shell invocation that could potentially lead to privilege escalation or access to sensitive data. As 'capsh' is a legitimate utility often used in untrusted contexts, monitoring its usage is critical for maintaining security on Linux systems.
Categories
- Linux
- Endpoint
Data Sources
- Process
Created: 2024-09-02