Adversaries may execute arbitrary shell commands via the flock utility to bypass standard execution detection mechanisms on Linux systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential privilege escalation or persistence tactics that evade traditional command-line monitoring.
Detection Rule
title: Shell Execution via Flock - Linux
id: 4b09c71e-4269-4111-9cdd-107d8867f0cc
status: test
description: |
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/flock/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/flock'
CommandLine|contains: ' -u '
selection_cli:
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
imProcessCreate
| where (TargetProcessName endswith "/flock" and TargetProcessCommandLine contains " -u ") and (TargetProcessCommandLine contains "/bin/bash" or TargetProcessCommandLine contains "/bin/dash" or TargetProcessCommandLine contains "/bin/fish" or TargetProcessCommandLine contains "/bin/sh" or TargetProcessCommandLine contains "/bin/zsh")Scenario: Legitimate Use of flock for Synchronized Script Execution
Description: A system administrator uses flock to ensure that a backup script runs only once at a time across multiple servers.
Filter/Exclusion: Exclude processes where the command line includes /usr/bin/flock and the script path is known to be a legitimate backup or maintenance script (e.g., /opt/backup/backup.sh).
Scenario: Scheduled Job Using flock for Resource Locking
Description: A cron job is configured to run a database maintenance script using flock to prevent multiple instances from running simultaneously.
Filter/Exclusion: Exclude processes where the command line includes flock and the job is scheduled via crontab with a known path (e.g., /etc/cron.d/maintenance).
Scenario: Use of flock in a CI/CD Pipeline for Locking Artifacts
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) uses flock to ensure that only one build process accesses a shared artifact directory at a time.
Filter/Exclusion: Exclude processes where the command line includes flock and the script is part of a known CI/CD tool (e.g., /opt/jenkins/jobs/build_script.sh).
Scenario: Admin Task Using flock to Prevent Concurrent System Updates
Description: An admin script uses flock to ensure that system updates are not applied concurrently, which could cause conflicts.
Filter/Exclusion: Exclude processes where the command line includes flock and the script is part of a known admin tool (e.g., /usr/local/sbin/update_system.sh).
**Scenario: Use of flock in a Monitoring Tool for Locking