---
title: Linux Restricted Shell Breakout via  apt/apt-get Changelog Escape
description: Identifies Linux binary apt/apt-get abuse to breakout out of restricted shells or environments by spawning an interactive system shell. The apt utility...
url: https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_apt_binary
products:
  - Elastic Security
---

# Linux Restricted Shell Breakout via  apt/apt-get Changelog Escape
<warning>
  This rule has been deprecated as of 2022/05/09.
</warning>

Identifies Linux binary apt/apt-get abuse to breakout out of restricted shells or environments by spawning an
interactive system shell. The apt utility allows us to manage installation and removal of softwares on Debian based
Linux distributions and the activity of spawning shell is not a standard use of this binary for a user or system
administrator. It indicates a potentially malicious actor attempting to improve the capabilities or stability of their
access.
**Rule type**: eql
**Rule indices**:
- logs-endpoint.events.*

**Rule Severity**: medium
**Risk Score**: 47
**Runs every**: 
**Searches indices from**: `now-9m`
**Maximum alerts per execution**: 100
**References**:
- [[https://gtfobins.github.io/gtfobins/apt/](https://gtfobins.github.io/gtfobins/apt/)](https://gtfobins.github.io/gtfobins/apt/)
- [[https://gtfobins.github.io/gtfobins/apt-get/](https://gtfobins.github.io/gtfobins/apt-get/)](https://gtfobins.github.io/gtfobins/apt-get/)

**Tags**:
- Elastic
- Host
- Linux
- Threat Detection
- Execution
- GTFOBins

**Version**: 100
**Rule authors**:
- Elastic

**Rule license**: Elastic License v2

## Rule Query

```eql
process where event.type == "start" and process.name == "sensible-pager" and
  process.args in ("/bin/sh", "/bin/bash", "/bin/dash", "sh", "bash", "dash") and
  process.parent.name in ("apt", "apt-get") and process.parent.args == "changelog"
```

**Framework:** MITRE ATT&CK
- Tactic:
  - Name: Execution
- Id: TA0002
- Reference URL: [[https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/)](https://attack.mitre.org/tactics/TA0002/)
- Technique:
  - Name: Command and Scripting Interpreter
- Id: T1059
- Reference URL: [[https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)](https://attack.mitre.org/techniques/T1059/)
- Sub Technique:
  - Name: Unix Shell
- Id: T1059.004
- Reference URL: [[https://attack.mitre.org/techniques/T1059/004/](https://attack.mitre.org/techniques/T1059/004/)](https://attack.mitre.org/techniques/T1059/004/)