Linux Base64 Encoded Pipe to Shell

 1title: Linux Base64 Encoded Pipe to Shell
 2id: ba592c6d-6888-43c3-b8c6-689b8fe47337
 3status: test
 4description: Detects suspicious process command line that uses base64 encoded input for execution with a shell
 5references:
 6    - https://github.com/arget13/DDexec
 7    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
 8author: pH-T (Nextron Systems)
 9date: 2022-07-26
10modified: 2023-06-16
11tags:
12    - attack.defense-evasion
13    - attack.t1140
14logsource:
15    product: linux
16    category: process_creation
17detection:
18    selection_base64:
19        CommandLine|contains: 'base64 '
20    selection_exec:
21        - CommandLine|contains:
22              - '| bash '
23              - '| sh '
24              - '|bash '
25              - '|sh '
26        - CommandLine|endswith:
27              - ' |sh'
28              - '| bash'
29              - '| sh'
30              - '|bash'
31    condition: all of selection_*
32falsepositives:
33    - Legitimate administration activities
34level: medium

References

• GitHub - arget13/DDexec: A technique to run binaries filelessly and stealthily on Linux by "overwriting" the shell's process with another.

  

  A technique to run binaries filelessly and stealthily on Linux by "overwriting" the shell's process with another. - arget13/DDexec

  
  Read More

• Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China | Google Cloud Blog

  

  SALTWATER is a module for the Barracuda SMTP daemon (bsmtpd) that has backdoor functionality. SALTWATER can upload or download arbitrary files, execute commands, and has proxy and tunneling capabil...

  
  Read More

Related rules

• Base64 Encoded PowerShell Command Detected
• DNS-over-HTTPS Enabled by Registry
• Linux Base64 Encoded Shebang In CLI
• Linux Shell Pipe to Shell
• MSHTA Suspicious Execution 01