Shellshock Expression

Aug 12, 2024 · attack.persistence attack.t1505.003 ·

Detects shellshock expressions in log files

Sigma rule (View on GitHub)

 1title: Shellshock Expression
 2id: c67e0c98-4d39-46ee-8f6b-437ebf6b950e
 3status: test
 4description: Detects shellshock expressions in log files
 5references:
 6    - https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf
 7author: Florian Roth (Nextron Systems)
 8date: 2017-03-14
 9modified: 2022-10-09
10tags:
11    - attack.persistence
12    - attack.t1505.003
13logsource:
14    product: linux
15detection:
16    keywords:
17        - '(){:;};'
18        - '() {:;};'
19        - '() { :;};'
20        - '() { :; };'
21    condition: keywords
22falsepositives:
23    - Unknown
24level: high

References

Build software better, together

GitHub is where people build software. More than 100 million people use GitHub to discover, fork, and contribute to over 420 million projects.

Read More

Related rules

CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
Certificate Request Export to Exchange Webserver
Chopper Webshell Process Pattern
DEWMODE Webshell Access
Exchange Set OabVirtualDirectory ExternalUrl Property

Shellshock Expression

Sigma rule (View on GitHub)

References

Build software better, together

Related rules