Rule : Capability Discovery via getcap
Getcapdetection
Query
DeviceProcessEvents
| where FileName == "getcap" and InitiatingProcessFolderPath != "/usr/bin/vmtoolsd"About this query
Rule : Capability Discovery via getcap
Description
Detects the use of the getcap command, which is used to query the capabilities of executables on Linux systems. Capabilities can grant elevated privileges to executables, and discovering these capabilities can be part of an attacker's reconnaissance phase. This detection specifically excludes instances where getcap is run by the vmtoolsd service.
Detection Logic
- Monitors for process events where the executed file name is
getcap. - Excludes events where the initiating process folder path is
/usr/bin/vmtoolsd, which is typically a legitimate use case associated with VMware Tools.
Tags
- Capability Discovery
- getcap
- Process Events
- Linux
Search Query
Explanation
This query is designed to detect the use of the getcap command on Linux systems, which is used to check the capabilities of executables. Capabilities can grant elevated privileges, so discovering them might be part of an attacker's reconnaissance activities. The query specifically ignores instances where getcap is run by the vmtoolsd service, which is a legitimate use case associated with VMware Tools.
In simple terms:
- It looks for instances where the
getcapcommand is executed. - It ignores these instances if they are initiated by the
vmtoolsdservice.
The query is useful for identifying potential malicious activity related to capability discovery on Linux systems.
Details

Ali Hussein
Released: July 9, 2024
Tables
Keywords
Operators