Adversaries may invoke shell commands through a Linux-based Advanced Persistent Threat (APT) to execute arbitrary code and maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and mitigate lateral movement risks.
Detection Rule
title: Shell Invocation via Apt - Linux
id: bb382fd5-b454-47ea-a264-1828e4c766d6
status: test
description: |
Detects the use of the "apt" and "apt-get" commands to execute a shell or proxy commands.
Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/apt/
- https://gtfobins.github.io/gtfobins/apt-get/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
modified: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/apt'
- '/apt-get'
CommandLine|contains: 'APT::Update::Pre-Invoke::='
condition: selection
falsepositives:
- Unknown
level: medium
imProcessCreate
| where (TargetProcessName endswith "/apt" or TargetProcessName endswith "/apt-get") and TargetProcessCommandLine contains "APT::Update::Pre-Invoke::="Scenario: System Update via APT
Description: A system administrator runs apt update or apt upgrade as part of routine maintenance.
Filter/Exclusion: Check for the presence of /usr/bin/apt in the command path and exclude commands containing update, upgrade, or dist-upgrade.
Scenario: Scheduled Job via Cron
Description: A legitimate cron job is configured to run a script that uses apt to install dependencies.
Filter/Exclusion: Filter commands that originate from /etc/cron.d/ or /etc/cron.hourly/ and exclude any use of apt in scripts with known job names.
Scenario: Package Installation via APT in DevOps Pipeline
Description: A CI/CD pipeline uses apt to install dependencies for a build process.
Filter/Exclusion: Exclude commands executed within a known CI/CD environment (e.g., /opt/jenkins/, /var/lib/jenkins/) or those that include install with specific package names.
Scenario: Admin Task to Install Monitoring Tools
Description: An admin uses apt to install a monitoring tool like nagios or telegraf.
Filter/Exclusion: Exclude commands that include package names like nagios, telegraf, or grafana and check for the presence of admin user IDs (e.g., root, admin).
Scenario: Use of APT in a Containerized Environment
Description: A Docker container or Kubernetes pod runs apt to install packages required for an application.
Filter/Exclusion: Filter commands that occur within container directories (e.g., /var/lib/docker/, /var/lib/kubelet/) or exclude use of apt in containers with specific