Linux Shell Pipe to Shell
Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
Sigma rule (View on GitHub)
1title: Linux Shell Pipe to Shell
2id: 880973f3-9708-491c-a77b-2a35a1921158
3status: test
4description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
5references:
6 - Internal Research
7author: Florian Roth (Nextron Systems)
8date: 2022/03/14
9modified: 2022/07/26
10tags:
11 - attack.defense_evasion
12 - attack.t1140
13logsource:
14 product: linux
15 category: process_creation
16detection:
17 selection:
18 CommandLine|startswith:
19 - 'sh -c '
20 - 'bash -c '
21 selection_exec:
22 - CommandLine|contains:
23 - '| bash '
24 - '| sh '
25 - '|bash '
26 - '|sh '
27 - CommandLine|endswith:
28 - '| bash'
29 - '| sh'
30 - '|bash'
31 - ' |sh'
32 condition: all of selection*
33falsepositives:
34 - Legitimate software that uses these patterns
35level: medium
References
Related rules
- Linux Base64 Encoded Pipe to Shell
- Linux Base64 Encoded Shebang In CLI
- PowerShell Base64 Encoded FromBase64String Cmdlet
- Suspicious XOR Encoded PowerShell Command
- UNC4841 - Download Tar File From Untrusted Direct IP Via Wget