Space After Filename
Detects space after filename
Sigma rule (View on GitHub)
1title: Space After Filename
2id: 879c3015-c88b-4782-93d7-07adf92dbcb7
3status: test
4description: Detects space after filename
5references:
6 - https://attack.mitre.org/techniques/T1064
7author: Ömer Günal
8date: 2020/06/17
9modified: 2021/11/27
10tags:
11 - attack.execution
12logsource:
13 product: linux
14detection:
15 selection1:
16 - 'echo "*" > * && chmod +x *'
17 selection2:
18 - 'mv * "* "'
19 condition: all of selection*
20falsepositives:
21 - Typos
22level: low
References
Related rules
- PCRE.NET Package Temp Files
- Abuse of the Windows Server Update Services (WSUS) for lateral movement.
- FakeUpdates/SocGholish Malware Detection
- Scheduled task executing powershell encoded payload from registry
- ms-msdt for RCE CVE-2022-30190