The hypothesis is that an adversary is using the find command to execute arbitrary shell commands, potentially for privilege escalation or command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential exploitation attempts or unauthorized access.
Detection Rule
title: Shell Execution via Find - Linux
id: 6adfbf8f-52be-4444-9bac-81b539624146
status: test
description: |
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
references:
- https://gtfobins.github.io/gtfobins/find/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/find'
CommandLine|contains|all:
- ' . '
- '-exec'
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
imProcessCreate
| where (TargetProcessName endswith "/find" and (TargetProcessCommandLine contains " . " and TargetProcessCommandLine contains "-exec")) and (TargetProcessCommandLine contains "/bin/bash" or TargetProcessCommandLine contains "/bin/dash" or TargetProcessCommandLine contains "/bin/fish" or TargetProcessCommandLine contains "/bin/sh" or TargetProcessCommandLine contains "/bin/zsh")Scenario: Scheduled System Maintenance with find and sh
Description: A system administrator schedules a cron job to run find /path -name "*.log" -exec sh -c 'echo "Cleaning up logs"' \; to clean up log files.
Filter/Exclusion: Exclude processes with command_line containing cron or crontab, or filter by user root with known maintenance scripts.
Scenario: File Search and Execution for Script Debugging
Description: A developer uses find /opt/app -name "*.sh" -exec sh -c 'echo "Debugging script: {}"' \; to test script execution in a development environment.
Filter/Exclusion: Exclude processes where the user is a developer (e.g., user_id=1001) or where the command line includes --debug or --dry-run.
Scenario: Log Rotation with find and sh
Description: A log rotation tool like logrotate uses find to locate old log files and executes a shell command to compress them.
Filter/Exclusion: Exclude processes where the command line includes logrotate or rsyslog, or filter by specific directories like /var/log.
Scenario: Security Audit with find and sh
Description: A security team runs a script using find /etc -name "*.conf" -exec sh -c 'echo "Auditing config file: {}"' \; to audit configuration files.
Filter/Exclusion: Exclude processes with command_line containing audit, security, or check, or filter by user security-team or audit.
Scenario: Backup Script with find and sh
Description: A backup