Adversaries may use nice to execute shell commands with reduced priority, masking their activity and evading standard process monitoring. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence or execution tactics that bypass traditional detection mechanisms.
Detection Rule
title: Shell Execution via Nice - Linux
id: 093d68c7-762a-42f4-9f46-95e79142571a
status: test
description: |
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/nice/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/nice'
CommandLine|endswith:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: selection
falsepositives:
- Unknown
level: high
imProcessCreate
| where TargetProcessName endswith "/nice" and (TargetProcessCommandLine endswith "/bin/bash" or TargetProcessCommandLine endswith "/bin/dash" or TargetProcessCommandLine endswith "/bin/fish" or TargetProcessCommandLine endswith "/bin/sh" or TargetProcessCommandLine endswith "/bin/zsh")Scenario: Scheduled System Maintenance via nice
Description: A system administrator schedules a maintenance task (e.g., rsync, logrotate, or systemd-tmpfiles-prune) using nice to prioritize resource allocation.
Filter/Exclusion: Check for known system maintenance scripts or commands in the command line, e.g., grep -i 'nice' /var/log/syslog | grep -i 'rsync\|logrotate'
Scenario: User-Initiated Background Process via nice
Description: A user runs a resource-intensive application (e.g., ffmpeg, docker, or vmware) in the background using nice to avoid impacting system performance.
Filter/Exclusion: Filter by user context (e.g., user = "regular_user") or command-line arguments (e.g., grep -i 'nice' /var/log/auth.log | grep -i 'ffmpeg\|docker')
Scenario: Cron Job with nice for Resource Management
Description: A cron job is configured to run a long-running process (e.g., backup.sh, db_dump, or nginx reload) using nice to limit CPU usage.
Filter/Exclusion: Filter by cron job context (e.g., command_line LIKE '%nice%' AND command_line LIKE '%cron%') or check for known cron job names in /etc/cron.d/
Scenario: Systemd Service with nice for Controlled Resource Usage
Description: A systemd service is configured to use nice to ensure it doesn’t over-consume resources (e.g., nice --10 /usr/bin/backup-service).
Filter/Exclusion: Check systemd service files (e.g., /etc/systemd/system/*.service) for