Shellshock Expression

Feb 1, 2023 · attack.persistence attack.t1505.003 ·

Detects shellshock expressions in log files

Sigma rule (View on GitHub)

 1title: Shellshock Expression
 2id: c67e0c98-4d39-46ee-8f6b-437ebf6b950e
 3status: test
 4description: Detects shellshock expressions in log files
 5references:
 6    - https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf
 7author: Florian Roth (Nextron Systems)
 8date: 2017/03/14
 9modified: 2022/10/09
10tags:
11    - attack.persistence
12    - attack.t1505.003
13logsource:
14    product: linux
15detection:
16    keywords:
17        - '(){:;};'
18        - '() {:;};'
19        - '() { :;};'
20        - '() { :; };'
21    condition: keywords
22falsepositives:
23    - Unknown
24level: high

References

%PDF-1.5 %µµµµ 1 0 obj >> endobj 2 0 obj endobj 3 0 obj /XObject /Pattern /Font /ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 720 540] /Contents 4 0 R/Group /Tabs/S/StructParents 0>> en...

Read More

Related rules

Certificate Request Export to Exchange Webserver
Suspicious MSExchangeMailboxReplication ASPX Write
Webshell ReGeorg Detection Via Web Logs
Exchange Set OabVirtualDirectory ExternalUrl Property
Webshell Usage with ManageEngine Product