← Back to Explore
sigmahighHunting
JexBoss Command Sequence
Detects suspicious command sequence that JexBoss
Detection Query
keywords:
"|all":
- bash -c /bin/bash
- "&/dev/tcp/"
condition: keywords
Author
Florian Roth (Nextron Systems)
Created
2017-08-24
Data Sources
linux
Platforms
linux
Tags
attack.executionattack.t1059.004
Raw Content
title: JexBoss Command Sequence
id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
status: test
description: Detects suspicious command sequence that JexBoss
references:
- https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
author: Florian Roth (Nextron Systems)
date: 2017-08-24
modified: 2025-11-22
tags:
- attack.execution
- attack.t1059.004
logsource:
product: linux
detection:
keywords:
'|all':
- 'bash -c /bin/bash'
- '&/dev/tcp/'
condition: keywords
falsepositives:
- Unknown
level: high