GitHub Repo

Analytics Story: Linux Living Off The Land

Updated Date: 2026-05-13 ID: e405a2d7-dc8e-4227-8e9d-f60267b8c0cd Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Linux Living Off The Land consists of binaries that may be used to bypass local security restrictions within misconfigured systems.

Why it matters

Similar to Windows LOLBAS project, the GTFOBins project focuses solely on Unix binaries that may be abused in multiple categories including Reverse Shell, File Upload, File Download and much more. These binaries are native to the operating system and the functionality is typically native. The behaviors are typically not malicious by default or vulnerable, but these are built in functionality of the applications. When reviewing any notables or hunting through mountains of events of interest, it's important to identify the binary, review command-line arguments, path of file, and capture any network and file modifications. Linux analysis may be a bit cumbersome due to volume and how process behavior is seen in EDR products. Piecing it together will require some effort.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Linux Possible Append Cronjob Entry on Existing Cronjob File Cron Hunting
Linux c99 Privilege Escalation Sudo and Sudo Caching Anomaly
Linux Common Process For Elevation Control Setuid and Setgid Hunting
Linux Curl Upload File Ingress Tool Transfer TTP
Linux Auditd System Network Configuration Discovery System Network Configuration Discovery Anomaly
Linux Octave Privilege Escalation Sudo and Sudo Caching Anomaly
Linux Auditd Disable Or Modify System Firewall Disable or Modify System Firewall Anomaly
Linux Possible Ssh Key File Creation SSH Authorized Keys Anomaly
Linux GNU Awk Privilege Escalation Sudo and Sudo Caching Anomaly
Linux Service File Created In Systemd Directory Systemd Timers Anomaly
Linux pkexec Privilege Escalation Exploitation for Privilege Escalation TTP
Linux Edit Cron Table Parameter Cron Hunting
Linux Auditd Auditd Service Stop Service Stop Anomaly
Linux Node Privilege Escalation Sudo and Sudo Caching Anomaly
Linux AWK Privilege Escalation Sudo and Sudo Caching Anomaly
Linux Auditd Setuid Using Chmod Utility Setuid and Setgid Anomaly
Linux Service Restarted Systemd Timers Anomaly
Linux Auditd Virtual Disk File And Directory Discovery File and Directory Discovery Anomaly
Linux PHP Privilege Escalation Sudo and Sudo Caching Anomaly
Linux Auditd Kernel Module Using Rmmod Utility Kernel Modules and Extensions TTP
Linux SSH Authorized Keys Modification SSH Authorized Keys Anomaly
Linux Composer Privilege Escalation Sudo and Sudo Caching Anomaly
Linux Auditd Osquery Service Stop Service Stop Anomaly
Linux Auditd Change File Owner To Root Linux and Mac Permissions Anomaly
Linux Find Privilege Escalation Sudo and Sudo Caching Anomaly
Linux SSH Remote Services Script Execute SSH TTP
Linux Emacs Privilege Escalation Sudo and Sudo Caching Anomaly
Linux Possible Access Or Modification Of sshd Config File SSH Authorized Keys Anomaly
Linux At Application Execution At Anomaly
Linux Auditd Add User Account Type Local Account Anomaly
Linux Possible Cronjob Modification With Editor Cron Hunting
Linux Auditd Service Restarted Systemd Timers Anomaly
Linux Adding Crontab Using List Parameter Cron Hunting
Linux Change File Owner To Root Linux and Mac Permissions Anomaly
Linux Auditd Unix Shell Configuration Modification Unix Shell Configuration Modification TTP
Linux Auditd Data Transfer Size Limits Via Split Syscall Data Transfer Size Limits Anomaly
Linux Auditd Hidden Files And Directories Creation File and Directory Discovery Anomaly
Linux Clipboard Data Copy Clipboard Data Anomaly
Linux Ingress Tool Transfer Hunting Ingress Tool Transfer Hunting
Linux Docker Root Directory Mount Escape to Host TTP
Linux Auditd Service Started Service Execution Anomaly
Linux GDB Privilege Escalation Sudo and Sudo Caching Anomaly
Linux At Allow Config File Creation Cron Anomaly
Suspicious Curl Network Connection Ingress Tool Transfer TTP
Linux Auditd Preload Hijack Via Preload File Dynamic Linker Hijacking TTP
Linux Service Started Or Enabled Systemd Timers Anomaly
Linux MySQL Privilege Escalation Sudo and Sudo Caching Anomaly
Linux Auditd At Application Execution At Anomaly
Linux Auditd Clipboard Data Copy Clipboard Data Anomaly
Linux Auditd File Permission Modification Via Chmod Linux and Mac Permissions Anomaly
Linux Auditd Find Credentials From Password Managers Password Managers TTP
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File Cron Hunting
Linux Make Privilege Escalation Sudo and Sudo Caching Anomaly
Linux Auditd Find Credentials From Password Stores Password Managers TTP
Linux Auditd Database File And Directory Discovery File and Directory Discovery Anomaly
Linux Auditd Possible Access Or Modification Of Sshd Config File SSH Authorized Keys Anomaly
Linux Auditd File Permissions Modification Via Chattr Linux and Mac Permissions Anomaly
Linux APT Privilege Escalation Sudo and Sudo Caching Anomaly
Linux RPM Privilege Escalation Sudo and Sudo Caching Anomaly
Linux Setuid Using Chmod Utility Setuid and Setgid Anomaly
Linux Auditd Base64 Decode Files Deobfuscate/Decode Files or Information Anomaly
Linux Auditd Unload Module Via Modprobe Kernel Modules and Extensions TTP
Linux Obfuscated Files or Information Base64 Decode Obfuscated Files or Information Anomaly
Linux Proxy Socks Curl Proxy, Non-Application Layer Protocol TTP
Linux Docker Shell Execution Container CLI/API Anomaly
Linux Decode Base64 to Shell Obfuscated Files or Information, Unix Shell TTP
Linux Auditd Whoami User Discovery System Owner/User Discovery Anomaly
Linux Auditd Sysmon Service Stop Service Stop Anomaly
File Download or Read to Pipe Execution Ingress Tool Transfer TTP
Linux Sqlite3 Privilege Escalation Sudo and Sudo Caching Anomaly
Linux Busybox Privilege Escalation Sudo and Sudo Caching Anomaly
Linux Ruby Privilege Escalation Sudo and Sudo Caching Anomaly
Linux Ingress Tool Transfer with Curl Ingress Tool Transfer Anomaly
Linux OpenVPN Privilege Escalation Sudo and Sudo Caching Anomaly
Linux Puppet Privilege Escalation Sudo and Sudo Caching Anomaly
Linux Auditd Data Transfer Size Limits Via Split Data Transfer Size Limits Anomaly
Linux Gem Privilege Escalation Sudo and Sudo Caching Anomaly
Linux Auditd Private Keys and Certificate Enumeration Private Keys Anomaly
Linux Cpulimit Privilege Escalation Sudo and Sudo Caching Anomaly
Linux Csvtool Privilege Escalation Sudo and Sudo Caching Anomaly
Linux Auditd File And Directory Discovery File and Directory Discovery Anomaly
Linux Add Files In Known Crontab Directories Cron Anomaly
Windows Suspicious QEMU Execution Data Obfuscation, Masquerading, Malicious File, Run Virtual Instance TTP
Linux c89 Privilege Escalation Sudo and Sudo Caching Anomaly
Linux Auditd Edit Cron Table Parameter Cron Anomaly
Linux Auditd Find Ssh Private Keys Private Keys Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Cisco Isovalent Process Exec Other cisco:isovalent:processExec not_applicable
Linux Auditd Syscall Linux icon Linux auditd auditd
Linux Auditd Service Stop Linux icon Linux auditd auditd
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Linux Auditd Proctitle Linux icon Linux auditd auditd
Linux Auditd Execve Linux icon Linux auditd auditd
Linux Auditd Add User Linux icon Linux auditd auditd
Linux Auditd Path Linux icon Linux auditd auditd
Linux Auditd Cwd Linux icon Linux auditd auditd
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike

References

Source: GitHub | Version: 2