← Back to SOC feed Coverage →

Capabilities Discovery - Linux

sigma LOW SigmaHQ
T1083
imProcessCreate
This detection content is auto-generated from open-source rule repositories and enriched with AI analysis. Always validate rules in a test environment before deploying to production Sentinel workspaces.
View original rule at SigmaHQ →
Retrieved: 2026-03-19T03:46:59Z · Confidence: medium

Hunt Hypothesis

Detects usage of “getcap” binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.

Detection Rule

Sigma (Original)

title: Capabilities Discovery - Linux
id: d8d97d51-122d-4cdd-9e2f-01b4b4933530
status: test
description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
references:
    - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
    - https://github.com/carlospolop/PEASS-ng
    - https://github.com/diego-treitos/linux-smart-enumeration
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-28
modified: 2026-01-24
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/getcap'
        CommandLine|contains: ' -r '
    condition: selection
falsepositives:
    - Unknown
level: low

KQL (Azure Sentinel)

imProcessCreate
| where TargetProcessName endswith "/getcap" and TargetProcessCommandLine contains " -r "

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

Validation (Atomic Red Team)

Use these Atomic Red Team tests to validate this detection fires correctly:

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml