Space After Filename

Aug 12, 2024 · attack.execution ·

Detects space after filename

Sigma rule (View on GitHub)

 1title: Space After Filename
 2id: 879c3015-c88b-4782-93d7-07adf92dbcb7
 3status: test
 4description: Detects space after filename
 5references:
 6    - https://attack.mitre.org/techniques/T1064
 7author: Ömer Günal
 8date: 2020-06-17
 9modified: 2021-11-27
10tags:
11    - attack.execution
12logsource:
13    product: linux
14detection:
15    selection1:
16        - 'echo "*" > * && chmod +x *'
17    selection2:
18        - 'mv * "* "'
19    condition: all of selection*
20falsepositives:
21    - Typos
22level: low

References

Scripting, Technique T1064 - Enterprise | MITRE ATT&CK®

© 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

Read More

Related rules

AADInternals PowerShell Cmdlets Execution - ProccessCreation
AADInternals PowerShell Cmdlets Execution - PsScript
AMSI Bypass Pattern Assembly GetType
APT29 2018 Phishing Campaign CommandLine Indicators
AWS EC2 Startup Shell Script Change

Space After Filename

Sigma rule (View on GitHub)

References

Scripting, Technique T1064 - Enterprise | MITRE ATT&CK®

Related rules