Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

GTFObins

The BprmCheck hook can be used to detect the execution of GTFOBins. It checks if privileged shell is executed and returns process information about GTFOBins binary that is spawning the shell.

Config Description

Scope predicate represents the list of GTFOBins filenames. Event predicate represents the list of possible shell filenames and checks if the executing process is running as root.

bprm_check:
  enabled: true
  sandbox:
    enabled: true
    deny_list: true
  rules:
  - rule: GTFOBins  # https://gtfobins.github.io/#+shell%20+SUID%20+Sudo
    scope: binary_name in
      [
        "aa-exec",
        "awk",
        "busctl",
        "busybox",
        ...
      ]
    event: name in ["sh", "bash", "dash", "zsh"] AND euid == 0

When sandbox deny_list mode is set true execution of GTFOBins is blocked.