Linux Restricted Shell Breakout via the vi commandedit

Identifies Linux binary find abuse to break out from restricted environments by spawning an interactive system shell. The vi/vim editor is the standard text editor in Linux distributions, and the activity of spawning a shell is not a standard use of this binary by a user or system administrator. This could potentially indicate a malicious actor attempting to improve the capabilities or stability of their access.

Rule type: eql

Rule indices:


Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Elastic
  • Host
  • Linux
  • Threat Detection
  • Execution
  • GTFOBins

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule queryedit

process where event.type == "start" and in ("vi", "vim") and process.parent.args == "-c" and process.parent.args in (":!/bin/bash", ":!/bin/sh", ":!bash", ":!sh") and in ("bash", "sh")