Interactive Bash Suspicious Children
Detects suspicious interactive bash as a parent to rather uncommon child processes
Sigma rule (View on GitHub)
1title: Interactive Bash Suspicious Children
2id: ea3ecad2-db86-4a89-ad0b-132a10d2db55
3status: test
4description: Detects suspicious interactive bash as a parent to rather uncommon child processes
5references:
6 - Internal Research
7author: Florian Roth (Nextron Systems)
8date: 2022-03-14
9tags:
10 - attack.execution
11 - attack.defense-evasion
12 - attack.t1059.004
13 - attack.t1036
14logsource:
15 product: linux
16 category: process_creation
17detection:
18 selection:
19 ParentCommandLine: 'bash -i'
20 anomaly1:
21 CommandLine|contains:
22 - '-c import '
23 - 'base64'
24 - 'pty.spawn'
25 anomaly2:
26 Image|endswith:
27 - 'whoami'
28 - 'iptables'
29 - '/ncat'
30 - '/nc'
31 - '/netcat'
32 condition: selection and 1 of anomaly*
33falsepositives:
34 - Legitimate software that uses these patterns
35level: medium
References
Related rules
- Potential ReflectDebugger Content Execution Via WerFault.EXE
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change
- Add Insecure Download Source To Winget