Linux Base64 Encoded Pipe to Shell
Detects suspicious process command line that uses base64 encoded input for execution with a shell
Sigma rule (View on GitHub)
1title: Linux Base64 Encoded Pipe to Shell
2id: ba592c6d-6888-43c3-b8c6-689b8fe47337
3status: experimental
4description: Detects suspicious process command line that uses base64 encoded input for execution with a shell
5references:
6 - https://github.com/arget13/DDexec
7 - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
8author: pH-T (Nextron Systems)
9date: 2022/07/26
10modified: 2023/06/16
11tags:
12 - attack.defense_evasion
13 - attack.t1140
14logsource:
15 product: linux
16 category: process_creation
17detection:
18 selection_base64:
19 CommandLine|contains: 'base64 '
20 selection_exec:
21 - CommandLine|contains:
22 - '| bash '
23 - '| sh '
24 - '|bash '
25 - '|sh '
26 - CommandLine|endswith:
27 - ' |sh'
28 - '| bash'
29 - '| sh'
30 - '|bash'
31 condition: all of selection_*
32falsepositives:
33 - Legitimate administration activities
34level: medium
References
-
A technique to run binaries filelessly and stealthily on Linux by "overwriting" the shell's process with another. - arget13/DDexec
Read More -
On May 23, 2023, Barracuda announced that a zero-day vulnerability (CVE-2023-2868) in the Barracuda Email Security Gateway (ESG) had been exploited in-the-wild as early as October 2022 and that the...
Read More
Related rules
- Linux Base64 Encoded Shebang In CLI
- Linux Shell Pipe to Shell
- PowerShell Base64 Encoded FromBase64String Cmdlet
- Suspicious XOR Encoded PowerShell Command
- UNC4841 - Download Tar File From Untrusted Direct IP Via Wget