The hypothesis is that an adversary is executing shell commands through a GCC compiler to evade detection and execute arbitrary code on a Linux system. SOC teams should proactively hunt for this behavior in Azure Sentinel as it indicates potential command and control activity or persistence mechanisms commonly used in advanced persistent threats.
Detection Rule
title: Shell Execution GCC - Linux
id: 9b5de532-a757-4d70-946c-1f3e44f48b4d
status: test
description: |
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/gcc/#shell
- https://gtfobins.github.io/gtfobins/c89/#shell
- https://gtfobins.github.io/gtfobins/c99/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/c89'
- '/c99'
- '/gcc'
CommandLine|contains: '-wrapper'
selection_cli:
CommandLine|contains:
- '/bin/bash,-s'
- '/bin/dash,-s'
- '/bin/fish,-s'
- '/bin/sh,-s'
- '/bin/zsh,-s'
condition: all of selection_*
falsepositives:
- Unknown
level: high
imProcessCreate
| where ((TargetProcessName endswith "/c89" or TargetProcessName endswith "/c99" or TargetProcessName endswith "/gcc") and TargetProcessCommandLine contains "-wrapper") and (TargetProcessCommandLine contains "/bin/bash,-s" or TargetProcessCommandLine contains "/bin/dash,-s" or TargetProcessCommandLine contains "/bin/fish,-s" or TargetProcessCommandLine contains "/bin/sh,-s" or TargetProcessCommandLine contains "/bin/zsh,-s")Scenario: Scheduled System Maintenance via Cron Job
Description: A legitimate cron job runs a script that uses gcc to compile a system utility.
Filter/Exclusion: process.parent_process_name = "cron" or process.command_line contains "system-maintenance"
Scenario: Developer Compiling a Custom Module
Description: A developer uses gcc to compile a custom kernel module or application code.
Filter/Exclusion: process.user = "developer" or process.command_line contains "compile-module"
Scenario: Automated Build Pipeline Using GCC
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) compiles code using gcc as part of the build process.
Filter/Exclusion: process.command_line contains "CI" or "build" or process.user = "jenkins"
Scenario: Security Tool or Agent Using GCC for Analysis
Description: A security tool or endpoint protection agent uses gcc to analyze or sandbox suspicious code.
Filter/Exclusion: process.name contains "sandbox" or "analysis" or process.parent_process_name contains "security"
Scenario: Admin Task Involving Code Compilation
Description: An admin uses gcc to compile a custom script or tool for system administration.
Filter/Exclusion: process.user = "root" or process.command_line contains "admin-tool" or process.parent_process_name contains "bash"