Attachment: Base64 encoded bash command in filename

This rule detects a fileless attack technique where a malicious payload is encoded directly into a filename. This technique is used by threats like VShell. The rule is designed to find these malicious filenames both in direct attachments and within archived files (like .zip, .rar, etc.).

Sublime rule (View on GitHub)

 1name: "Attachment: Base64 encoded bash command in filename"
 2description: "This rule detects a fileless attack technique where a malicious payload is encoded directly into a filename. This technique is used by threats like VShell. The rule is designed to find these malicious filenames both in direct attachments and within archived files (like .zip, .rar, etc.)."
 3authors:
 4  - twitter: "vector_sec"
 5type: rule
 6severity: high
 7source: |
 8  type.inbound
 9  and length(attachments) > 0
10  and any(attachments,
11          (
12            .file_type in $file_extensions_common_archives
13            or strings.contains(.file_name, "{")
14          )
15          and any(beta.expand_archives(.).files,
16                  strings.contains(.file_name, "{")
17                  and (
18                    strings.icontains(.file_name, 'echo,')
19                    or strings.icontains(.file_name, 'base64')
20                    or regex.icontains(.file_name, '\bbash\b')
21                    or any(beta.scan_base64(.file_name, ignore_padding=true),
22                           length(.) >= 10
23                    )
24                  )
25          )
26  )  
27attack_types:
28  - "Malware/Ransomware"
29tactics_and_techniques:
30  - "Encryption"
31  - "Evasion"
32  - "Suspicious Attachment"
33detection_methods:
34  - "Archive analysis"
35  - "File analysis"
36  - "Content analysis"
37id: "819f69c8-91c2-5261-8c13-d177c46bff66"
38references:
39- https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
to-top