Adversaries may use Vim GTFOBin to execute arbitrary code with elevated privileges, bypassing standard detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential privilege escalation and persistence tactics early.
Detection Rule
title: Vim GTFOBin Abuse - Linux
id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea
status: test
description: |
Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands.
Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
- https://gtfobins.github.io/gtfobins/vim/
- https://gtfobins.github.io/gtfobins/rvim/
- https://gtfobins.github.io/gtfobins/vimdiff/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
modified: 2024-09-02
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith:
- '/rvim'
- '/vim'
- '/vimdiff'
CommandLine|contains:
- ' --cmd'
- ' -c '
selection_cli:
CommandLine|contains:
- ':!/'
- ':lua '
- ':py '
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: all of selection_*
falsepositives:
- Unknown
level: high
imProcessCreate
| where ((TargetProcessName endswith "/rvim" or TargetProcessName endswith "/vim" or TargetProcessName endswith "/vimdiff") and (TargetProcessCommandLine contains " --cmd" or TargetProcessCommandLine contains " -c ")) and (TargetProcessCommandLine contains ":!/" or TargetProcessCommandLine contains ":lua " or TargetProcessCommandLine contains ":py " or TargetProcessCommandLine contains "/bin/bash" or TargetProcessCommandLine contains "/bin/dash" or TargetProcessCommandLine contains "/bin/fish" or TargetProcessCommandLine contains "/bin/sh" or TargetProcessCommandLine contains "/bin/zsh")Scenario: System Update via vim with :! command
Description: An administrator uses vim to edit a configuration file and runs a system update command like :!apt update && apt upgrade as part of routine maintenance.
Filter/Exclusion: Check for presence of apt, yum, or dnf in the command line, or filter by user (e.g., root or admin performing known update tasks).
Scenario: Scheduled Job Using vim for Script Editing
Description: A cron job or systemd timer uses vim to edit a script file before executing it, such as editing a backup script before running it.
Filter/Exclusion: Filter by process owner (e.g., root or backup user), or check for presence of cron or systemd in the command line.
Scenario: Admin Task with vim and External Command
Description: An admin uses vim to edit a configuration file and runs a command like :!systemctl restart nginx as part of a service configuration change.
Filter/Exclusion: Filter for known admin commands (e.g., systemctl, service, journalctl) or check for presence of nginx, apache, or other service names in the command.
Scenario: Script Development with vim and Debugging Commands
Description: A developer uses vim to write a script and runs debugging commands like :!python3 -m pdb script.py to test it.
Filter/Exclusion: Filter for presence of python, node, or other interpreter names, or check for pdb, node-inspect, or similar debugging tools.
Scenario: Log File Rotation with vim and External Tools
Description: A sysadmin