Linux Base64 Encoded Pipe to Shell | Detection.FYI

link管理

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

Sigma rule ( View on GitHub )

 1title: Linux Base64 Encoded Pipe to Shell
 2id: ba592c6d-6888-43c3-b8c6-689b8fe47337
 3status: test
 4description: Detects suspicious process command line that uses base64 encoded input for execution with a shell
 5references:
 6    - https://github.com/arget13/DDexec
 7    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
 8author: pH-T (Nextron Systems)
 9date: 2022-07-26
10modified: 2023-06-16
11tags:
12    - attack.defense-evasion
13    - attack.t1140
14logsource:
15    product: linux
16    category: process_creation
17detection:
18    selection_base64:
19        CommandLine|contains: 'base64 '
20    selection_exec:
21        - CommandLine|contains:
22              - '| bash '
23              - '| sh '
24              - '|bash '
25              - '|sh '
26        - CommandLine|endswith:
27              - ' |sh'
28              - '| bash'
29              - '| sh'
30              - '|bash'
31    condition: all of selection_*
32falsepositives:
33    - Legitimate administration activities
34level: medium
    References
                            A technique to run binaries filelessly and stealthily on Linux by "overwriting" the shell's process with another. - arget13/DDexec
                            Read More
                            SALTWATER is a module for the Barracuda SMTP daemon (bsmtpd) that has backdoor functionality. SALTWATER can upload or download arbitrary files, execute commands, and has proxy and tunneling capabil...
                            Read More

推荐文章

讲道义的馒头 · 手把手教你搞定 vue-cli4 配置，一文解决 vue 配置问题 - VueClub

3 月前

腼腆的警车 · 雅昌指数｜刘野市场史：属于自己的巅峰时代-市场观察-雅昌艺术市场监测中心

4 月前

慷慨大方的显示器 · SQL Server如何在同一查询中使用别名？_如何在查询中使用SQL别名_如何在SQL Server中查询Json - 腾讯云开发者社区 - 腾讯云

4 月前

爱运动的咖啡 · 每日商报-什么是教育家精神？省内老中青三代特级教师专门进行探讨

4 月前

仗义的凉茶 · 平安传母是第几章节？平安传481.5隐藏章节_笔趣库

1 年前