EXPLORE
← Back to Explore
sigmahighHunting

Vim GTFOBin Abuse - Linux

Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

MITRE ATT&CK

executiondiscovery

Detection Query

selection_img:
  Image|endswith:
    - /rvim
    - /vi
    - /vim
    - /vimdiff
  CommandLine|contains:
    - " --cmd "
    - " -c"
selection_cli:
  CommandLine|contains:
    - :!/
    - :!$
    - :!..
    - ":lua "
    - ":py "
    - :shell
    - /bin/bash
    - /bin/dash
    - /bin/fish
    - /bin/sh
    - /bin/csh
    - /bin/ksh
    - /bin/zsh
    - /bin/tmux
condition: all of selection_*

Author

Nasreddine Bencherchali (Nextron Systems), Luc Génaux

Created

2022-12-28

Data Sources

linuxProcess Creation Events

Platforms

linux

Tags

attack.executionattack.discoveryattack.t1059attack.t1083
Raw Content
title: Vim GTFOBin Abuse - Linux
id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea
status: test
description: |
    Detects the use of "vim" and it's siblings commands to execute a shell or proxy commands.
    Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
    - https://gtfobins.github.io/gtfobins/vi/
    - https://gtfobins.github.io/gtfobins/vim/
    - https://gtfobins.github.io/gtfobins/rvim/
    - https://gtfobins.github.io/gtfobins/vimdiff/
author: Nasreddine Bencherchali (Nextron Systems), Luc Génaux
date: 2022-12-28
modified: 2026-06-05
tags:
    - attack.execution
    - attack.discovery
    - attack.t1059
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith:
            - '/rvim'
            - '/vi'
            - '/vim'
            - '/vimdiff'
        CommandLine|contains:
            - ' --cmd '
            - ' -c'
    selection_cli:
        CommandLine|contains:
            - ':!/'
            - ':!$'
            - ':!..'
            - ':lua '
            - ':py '
            - ':shell'
            - '/bin/bash'
            - '/bin/dash'
            - '/bin/fish'
            - '/bin/sh'
            - '/bin/csh'
            - '/bin/ksh'
            - '/bin/zsh'
            - '/bin/tmux'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high