Query Details

Rule : Capability Discovery via getcap

Getcapdetection

Query

DeviceProcessEvents
| where FileName == "getcap" and InitiatingProcessFolderPath != "/usr/bin/vmtoolsd"

About this query

Rule : Capability Discovery via getcap

Description

Detects the use of the getcap command, which is used to query the capabilities of executables on Linux systems. Capabilities can grant elevated privileges to executables, and discovering these capabilities can be part of an attacker's reconnaissance phase. This detection specifically excludes instances where getcap is run by the vmtoolsd service.

Detection Logic

  • Monitors for process events where the executed file name is getcap.
  • Excludes events where the initiating process folder path is /usr/bin/vmtoolsd, which is typically a legitimate use case associated with VMware Tools.

Tags

  • Capability Discovery
  • getcap
  • Process Events
  • Linux

Search Query

Explanation

This query is designed to detect the use of the getcap command on Linux systems, which is used to check the capabilities of executables. Capabilities can grant elevated privileges, so discovering them might be part of an attacker's reconnaissance activities. The query specifically ignores instances where getcap is run by the vmtoolsd service, which is a legitimate use case associated with VMware Tools.

In simple terms:

  • It looks for instances where the getcap command is executed.
  • It ignores these instances if they are initiated by the vmtoolsd service.

The query is useful for identifying potential malicious activity related to capability discovery on Linux systems.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 9, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsLinux

Operators

==and!=

Actions

GitHub