Adversaries may use Capsh to invoke shell commands with elevated privileges, bypassing standard privilege escalation detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential privilege escalation attempts and mitigate lateral movement risks.
Detection Rule
title: Capsh Shell Invocation - Linux
id: db1ac3be-f606-4e3a-89e0-9607cbe6b98a
status: test
description: |
Detects the use of the "capsh" utility to invoke a shell.
references:
- https://gtfobins.github.io/gtfobins/capsh/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/capsh'
CommandLine|endswith: ' --'
condition: selection
falsepositives:
- Unknown
level: high
imProcessCreate
| where TargetProcessName endswith "/capsh" and TargetProcessCommandLine endswith " --"Scenario: System Maintenance Script Execution
Description: A legitimate system maintenance script uses capsh to switch to a different user context for performing administrative tasks.
Filter/Exclusion: Check the command line arguments for known maintenance scripts or paths like /usr/local/bin/maintenance_script.sh or /etc/cron.daily/.
Scenario: Scheduled Job with User Switching
Description: A cron job or systemd timer is configured to run a script under a different user using capsh for privilege separation.
Filter/Exclusion: Filter by process owner or check the command line for capsh with known job names like daily_backup.sh or system_cleanup.
Scenario: Security Tool or Audit Tool Usage
Description: A security or audit tool (e.g., auditd, selinux, or apparmor) uses capsh to temporarily drop privileges or switch contexts during analysis.
Filter/Exclusion: Check for processes associated with security tools or paths like /usr/sbin/auditd or /etc/security/.
Scenario: User Switching for Troubleshooting
Description: An admin uses capsh to switch to another user account to troubleshoot an application or service running under that user.
Filter/Exclusion: Filter by user IDs (UIDs) of known admin accounts or check for commands like capsh -c 'su - user'.
Scenario: Container or VM Management Tools
Description: A container orchestration tool (e.g., Docker, Kubernetes) or virtualization management tool uses capsh to manage user contexts within isolated environments.
Filter/Exclusion: Check for processes associated with container runtimes (e.g., docker, kubeadm) or VM management tools (e.g., virsh,