Linux Base64 Encoded Shebang In CLI
Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
Sigma rule (View on GitHub)
1title: Linux Base64 Encoded Shebang In CLI
2id: fe2f9663-41cb-47e2-b954-8a228f3b9dff
3status: test
4description: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
5references:
6 - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
7 - https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/09/15
10tags:
11 - attack.defense_evasion
12 - attack.t1140
13logsource:
14 product: linux
15 category: process_creation
16detection:
17 selection:
18 CommandLine|contains:
19 - "IyEvYmluL2Jhc2" # Note: #!/bin/bash"
20 - "IyEvYmluL2Rhc2" # Note: #!/bin/dash"
21 - "IyEvYmluL3pza" # Note: #!/bin/zsh"
22 - "IyEvYmluL2Zpc2" # Note: #!/bin/fish
23 - "IyEvYmluL3No" # Note: # !/bin/sh"
24 condition: selection
25falsepositives:
26 - Legitimate administration activities
27level: medium
References
-
Plain text links were replaced with Base64-encoded text, while some of the code chunks were downloaded or encoded payloads. This is likely done to hide direct payload links, evade security rules us...
Read More -
Related rules
- Linux Base64 Encoded Pipe to Shell
- Linux Shell Pipe to Shell
- PowerShell Base64 Encoded FromBase64String Cmdlet
- Suspicious XOR Encoded PowerShell Command
- UNC4841 - Download Tar File From Untrusted Direct IP Via Wget