process where host.os.type == "linux" and event.type == "start" and
(
/* launching shell from capsh */
(process.name == "capsh" and process.args == "--") or
/* launching shells from unusual parents or parent+arg combos */
(process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and (
(process.parent.name : "*awk" and process.parent.args : "BEGIN {system(*)}") or
(process.parent.name == "git" and process.parent.args : ("*PAGER*", "!*sh", "exec *sh") or
process.args : ("*PAGER*", "!*sh", "exec *sh") and not process.name == "ssh" ) or
(process.parent.name : ("byebug", "ftp", "strace", "zip", "tar") and
(
process.parent.args : "BEGIN {system(*)}" or
(process.parent.args : ("*PAGER*", "!*sh", "exec *sh") or process.args : ("*PAGER*", "!*sh", "exec *sh")) or
(
(process.parent.args : "exec=*sh" or (process.parent.args : "-I" and process.parent.args : "*sh")) or
(process.args : "exec=*sh" or (process.args : "-I" and process.args : "*sh"))
)
)
) or
/* shells specified in parent args */
/* nice rule is broken in 8.2 */
(process.parent.args : "*sh" and
(
(process.parent.name == "nice") or
(process.parent.name == "cpulimit" and process.parent.args == "-f") or
(process.parent.name == "find" and process.parent.args == "." and process.parent.args == "-exec" and
process.parent.args == ";" and process.parent.args : "/bin/*sh") or
(process.parent.name == "flock" and process.parent.args == "-u" and process.parent.args == "/")
)
)
)) or
/* shells specified in args */
(process.args : "*sh" and (
(process.parent.name == "crash" and process.parent.args == "-h") or
(process.name == "sensible-pager" and process.parent.name in ("apt", "apt-get") and process.parent.args == "changelog")
/* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */
)) or
(process.name == "busybox" and event.action == "exec" and process.args_count == 2 and process.args : "*sh" and not
process.executable : "/var/lib/docker/overlay2/*/merged/bin/busybox" and not (process.parent.args == "init" and
process.parent.args == "runc") and not process.parent.args in ("ls-remote", "push", "fetch") and not process.parent.name == "mkinitramfs") or
(process.name == "env" and process.args_count == 2 and process.args : "*sh") or
(process.parent.name in ("vi", "vim") and process.parent.args == "-c" and process.parent.args : ":!*sh") or
(process.parent.name in ("c89", "c99", "gcc") and process.parent.args : "*sh,-s" and process.parent.args == "-wrapper") or
(process.parent.name == "expect" and process.parent.args == "-c" and process.parent.args : "spawn *sh;interact") or
(process.parent.name == "mysql" and process.parent.args == "-e" and process.parent.args : "\\!*sh") or
(process.parent.name == "ssh" and process.parent.args == "-o" and process.parent.args : "ProxyCommand=;*sh 0<&2 1>&2")
)
Install detection rules in Elastic Security
Detect Linux Restricted Shell Breakout via Linux Binary(s) in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).