EXPLORE
Sign In
← Back to Explore
sublimehighRule

Attachment: Base64 encoded bash command in filename

This rule detects a fileless attack technique where a malicious payload is encoded directly into a filename. This technique is used by threats like VShell. The rule is designed to find these malicious filenames both in direct attachments and within archived files (like .zip, .rar, etc.).

MITRE ATT&CK

T1566.001T1204.002T1486T1027T1573T1036
defense-evasion

Detection Query

type.inbound
and length(attachments) > 0
and any(attachments,
        (
          .file_type in $file_extensions_common_archives
          or strings.contains(.file_name, "{")
        )
        and any(file.expand_archives(.).files,
                strings.contains(.file_name, "{")
                and (
                  strings.icontains(.file_name, 'echo,')
                  or strings.icontains(.file_name, 'base64')
                  or regex.icontains(.file_name, '\bbash\b')
                  or any(beta.scan_base64(.file_name, ignore_padding=true),
                         length(.) >= 10
                  )
                )
        )
)

Author

vector_sec

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

References

Raw Content
name: "Attachment: Base64 encoded bash command in filename"
description: "This rule detects a fileless attack technique where a malicious payload is encoded directly into a filename. This technique is used by threats like VShell. The rule is designed to find these malicious filenames both in direct attachments and within archived files (like .zip, .rar, etc.)."
authors:
  - twitter: "vector_sec"
type: rule
severity: high
source: |
  type.inbound
  and length(attachments) > 0
  and any(attachments,
          (
            .file_type in $file_extensions_common_archives
            or strings.contains(.file_name, "{")
          )
          and any(file.expand_archives(.).files,
                  strings.contains(.file_name, "{")
                  and (
                    strings.icontains(.file_name, 'echo,')
                    or strings.icontains(.file_name, 'base64')
                    or regex.icontains(.file_name, '\bbash\b')
                    or any(beta.scan_base64(.file_name, ignore_padding=true),
                           length(.) >= 10
                    )
                  )
          )
  )
attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Encryption"
  - "Evasion"
detection_methods:
  - "Archive analysis"
  - "File analysis"
  - "Content analysis"
id: "819f69c8-91c2-5261-8c13-d177c46bff66"
references:
- https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/