This note documents detection patterns related to Living off the Land Abuse on Linux systems.
Direct Indicators
| Source | Grep Pattern / Artifact | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Shell history | find -exec | Command execution via native binary | Critical | Common GTFOBins abuse pattern. |
| Shell history | awk 'BEGIN | Shell spawn through awk | Critical | Classic interpreter abuse. |
| Shell history | tar -cf /dev/null | Command execution through tar checkpoint abuse | Critical | Common sudo GTFOBins technique. |
| Shell history | vim -c | Shell escape via editor | Critical | Interactive privilege abuse pattern. |
| Shell history | less !sh | Shell escape through pager | High | Common local escalation pattern. |
| Shell history | python -c | Interpreter abuse for shell / file ops | Critical | Native interpreter weaponization. |
| Shell history | perl -e | Inline command execution | High | Often used when bash restricted. |
| Shell history | openssl enc | File transfer / covert encoding | High | Native crypto utility abuse. |
| Shell history | cp /bin/bash | Binary cloning for privilege tricks | Critical | Often paired with SUID abuse. |
| Shell history | chmod u+s | SUID planting | Critical | High-confidence privilege abuse. |
auditd | execve of unusual admin binaries | Native tool abuse evidence | Critical | Best attribution source. |
sudo logs | Allowed binary abuse | Privileged LOL abuse | Critical | High-signal when sudo present. |
journalctl | unusual binary invocation | Process clues | High | Depends on host logging depth. |
| File metadata | copied shell or altered binary mode | Persistence / escalation artifact | Critical | Strong post-abuse evidence. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Native binary used where simpler command expected | Over-engineered shell path | High | Suggests GTFOBins familiarity. |
| Allowed sudo binary immediately followed by root shell | Privilege abuse | Critical | Strong escalation chain. |
| Unexpected SUID bit on copied binary | Escalation artifact | Critical | High-confidence malicious action. |
| Editor or pager invoked briefly before shell | Escape behavior | High | Common hands-on operator pattern. |
| File read via odd utility | Sensitive file access using native tools | High | Credential theft attempt. |
| Native tools chained rapidly | Manual operator living off system | High | No external payload needed. |
| Minimal downloader footprint | Pure LOL behavior | High | Higher stealth intent. |
| Rare binary usage by service account | Suspicious context | Critical | Often malicious. |
| Interpreter abuse after sudo | Strong escalation indicator | Critical | Very common GTFOBins chain. |
| SUID plus temp execution | Privilege persistence | Critical | Strong hostile sequence. |
Common Tools
| Tool | Usage |
|---|---|
find | Execute commands via -exec. |
awk | Shell spawn / file exfiltration. |
tar | Checkpoint command execution. |
vim | Shell escape or file edit under sudo. |
less / more | Pager shell escape. |
python | Shell spawn, file ops, sockets. |
perl | Inline command execution. |
cp | Clone privileged binaries. |
chmod | SUID manipulation. |
openssl | Encoding / covert transport. |
Relevant Artifacts
| Artifact | Path / Command | Forensic Value | Notes |
|---|---|---|---|
| Shell history | .bash_history, .zsh_history | Critical | Primary LOL evidence. |
| Sudo logs | /var/log/auth.log, /var/log/secure | Critical | Privileged binary context. |
| Audit logs | /var/log/audit/audit.log | Critical | Process truth. |
| Journald | journalctl | High | Process clues. |
| File modes | find / -perm -4000 | Critical | Detect new SUID artifacts. |
| Binary timestamps | stat | High | Detect copied/altered binaries. |
| Temp directories | /tmp, /var/tmp, /dev/shm | High | Cloned binaries often staged here. |
MITRE ATT&CK References
- T1211 Exploitation for Defense Evasion
- T1548 Abuse Elevation Control Mechanism
- T1059 Command and Scripting Interpreter
- T1036 Masquerading
Decision Tree
-
Was native binary abused?
- Identify unusual command syntax.
-
Did sudo participate?
- Check privileged execution path.
-
Was shell obtained?
- Look for shell spawn patterns.
-
Were file permissions changed?
- Detect SUID or cloned binaries.
-
Was persistence introduced?
- Inspect modified binaries and startup paths.
-
Pivot
- Binary → known GTFOBins capability.
- User → privilege context.
- File → timestamp chain.
-
Confirm LOL abuse
- Native binary + shell/persistence outcome = strong living-off-the-land abuse.
Example Detection Templates
Grep
grep -R "find -exec\|awk 'BEGIN\|tar -cf\|vim -c\|less !sh\|python -c\|perl -e" /home /root /tmp /var/tmp 2>/dev/null
grep -R "chmod u+s\|cp /bin/bash" /home /root /tmp /var/tmp 2>/dev/null
grep -R "find \|awk \|tar \|vim \|less \|python \|perl " /home/*/.bash_history /root/.bash_history 2>/dev/null
Journalctl
journalctl | grep -E "find|awk|tar|vim|less|python|perl|chmod"
File Inspection
find / -perm -4000 -type f 2>/dev/null
find /tmp /var/tmp /dev/shm -perm -4000 -type f 2>/dev/null
Sigma
title: Linux Living Off The Land Abuse
id: linux-lol-abuse
status: experimental
description: Detects suspicious native binary abuse patterns associated with GTFOBins techniques
logsource:
product: linux
detection:
selection_keywords:
message|contains:
- 'find -exec'
- 'awk'
- 'tar'
- 'vim'
- 'chmod u+s'
condition: selection_keywords
fields:
- message
- hostname
falsepositives:
- Legitimate administration
level: high
tags:
- attack.execution
- attack.privilege_escalation
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Sudo minimization | Restrict dangerous binaries under sudo | Critical | Removes GTFOBins paths. |
| Binary monitoring | Alert on SUID changes | Critical | Strong invariant detection. |
| Auditd | Track execve of risky binaries | High | Strong attribution. |
| Least privilege | Remove unnecessary interpreters for service users | High | Shrinks LOL surface. |
| File integrity monitoring | Watch privileged binaries | High | Detects binary cloning / tampering. |
| Baseline allowed admin tooling | Know legitimate binary use | High | Improves anomaly detection. |
Fast Triage Checks
| Question | Command / Artifact | Why It Matters |
|---|---|---|
| Was native binary abused? | grep shell history | Identify LOL pattern. |
| Was sudo involved? | grep sudo logs | Privilege context. |
| Any new SUID file? | find SUID binaries | Escalation artifact. |
| Was shell spawned? | inspect command chain | Confirms abuse outcome. |
| Any cloned shell binary? | stat suspicious binaries | Persistence clue. |
| Did abuse touch sensitive files? | inspect nearby commands | Credential access possibility. |
High Value Grep Strings
| Pattern | Why It Matters |
|---|---|
find -exec | Command execution abuse. |
awk 'BEGIN | Shell spawn pattern. |
tar -cf | Checkpoint abuse path. |
vim -c | Editor shell escape. |
less !sh | Pager shell escape. |
python -c | Native interpreter abuse. |
perl -e | Alternate interpreter abuse. |
chmod u+s | SUID privilege planting. |
cp /bin/bash | Shell cloning for escalation. |
Analyst Notes
| Scenario | Interpretation |
|---|---|
| Native tool only, no payloads | Higher stealth operator behavior. |
| Sudo binary then root shell | Strong GTFOBins escalation. |
| New SUID shell in temp path | Very high-confidence malicious action. |
| Vim or less briefly opened | Possible shell escape. |
| Multiple native tools chained | Manual operator adaptation. |
| LOL abuse after SSH foothold | Common privilege escalation path. |