Linux Base64 Encoded Shebang In CLI

 1title: Linux Base64 Encoded Shebang In CLI
 2id: fe2f9663-41cb-47e2-b954-8a228f3b9dff
 3status: test
 4description: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
 5references:
 6    - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
 7    - https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2022-09-15
10tags:
11    - attack.defense-evasion
12    - attack.t1140
13logsource:
14    product: linux
15    category: process_creation
16detection:
17    selection:
18        CommandLine|contains:
19            - "IyEvYmluL2Jhc2" # Note: #!/bin/bash"
20            - "IyEvYmluL2Rhc2" # Note: #!/bin/dash"
21            - "IyEvYmluL3pza" # Note: #!/bin/zsh"
22            - "IyEvYmluL2Zpc2" # Note: #!/bin/fish
23            - "IyEvYmluL3No" # Note: # !/bin/sh"
24    condition: selection
25falsepositives:
26    - Legitimate administration activities
27level: medium

References

• The Evolution of Malicious Shell Scripts

  

  Plain text links were replaced with Base64-encoded text, while some of the code chunks were downloaded or encoded payloads. This is likely done to hide direct payload links, evade security rules us...

  
  Read More

• PEASS-ng/linPEAS at master · peass-ng/PEASS-ng

  

  PEASS - Privilege Escalation Awesome Scripts SUITE (with colors) - peass-ng/PEASS-ng

  
  Read More

Related rules

• Base64 Encoded PowerShell Command Detected
• DNS-over-HTTPS Enabled by Registry
• Linux Base64 Encoded Pipe to Shell
• Linux Shell Pipe to Shell
• MSHTA Suspicious Execution 01