---
title: Linux Restricted Shell Breakout via flock Shell evasion
description: Identifies Linux binary flock abuse to break out from restricted environments by spawning an interactive system shell. The flock utility allows users...
url: https://www.elastic.co/elastic/docs-builder/docs/3167/reference/security/prebuilt-rules/rules/_deprecated/execution_flock_binary
products:
  - Elastic Security
---

# Linux Restricted Shell Breakout via flock Shell evasion
<warning>
  This rule has been deprecated as of 2022/05/09.
</warning>

Identifies Linux binary flock abuse to break out from restricted environments by spawning an interactive system shell.
The flock utility allows users to manage advisory file locks in shell scripts or on the command line. The activity of
spawning a shell is not a standard use of this binary by a user or system administrator. It indicates a potentially
malicious actor attempting to improve the capabilities or stability of their access.
**Rule type**: eql
**Rule indices**:
- logs-endpoint.events.*

**Rule Severity**: medium
**Risk Score**: 47
**Runs every**: 
**Searches indices from**: `now-9m`
**Maximum alerts per execution**: 100
**References**:
- [[https://gtfobins.github.io/gtfobins/flock/](https://gtfobins.github.io/gtfobins/flock/)](https://gtfobins.github.io/gtfobins/flock/)

**Tags**:
- Elastic
- Host
- Linux
- Threat Detection
- Execution
- GTFOBins

**Version**: 100
**Rule authors**:
- Elastic

**Rule license**: Elastic License v2

## Rule Query

```eql
process where event.type == "start" and process.parent.name == "flock" and process.parent.args == "-u" and process.parent.args == "/" and process.parent.args in ("/bin/sh", "/bin/bash", "/bin/dash", "sh", "bash", "dash") and process.name in ("bash", "dash", "sh")
```

**Framework:** MITRE ATT&CK
- Tactic:
  - Name: Execution
- Id: TA0002
- Reference URL: [[https://attack.mitre.org/tactics/TA0002/](https://attack.mitre.org/tactics/TA0002/)](https://attack.mitre.org/tactics/TA0002/)
- Technique:
  - Name: Command and Scripting Interpreter
- Id: T1059
- Reference URL: [[https://attack.mitre.org/techniques/T1059/](https://attack.mitre.org/techniques/T1059/)](https://attack.mitre.org/techniques/T1059/)
- Sub Technique:
  - Name: Unix Shell
- Id: T1059.004
- Reference URL: [[https://attack.mitre.org/techniques/T1059/004/](https://attack.mitre.org/techniques/T1059/004/)](https://attack.mitre.org/techniques/T1059/004/)