← Back to Explore
sigmamediumHunting
Interactive Bash Suspicious Children
Detects suspicious interactive bash as a parent to rather uncommon child processes
Detection Query
selection:
ParentCommandLine: bash -i
anomaly1:
CommandLine|contains:
- "-c import "
- base64
- pty.spawn
anomaly2:
Image|endswith:
- whoami
- iptables
- /ncat
- /nc
- /netcat
condition: selection and 1 of anomaly*
Author
Florian Roth (Nextron Systems)
Created
2022-03-14
Data Sources
linuxProcess Creation Events
Platforms
linux
References
Tags
attack.executionattack.defense-evasionattack.t1059.004attack.t1036
Raw Content
title: Interactive Bash Suspicious Children
id: ea3ecad2-db86-4a89-ad0b-132a10d2db55
status: test
description: Detects suspicious interactive bash as a parent to rather uncommon child processes
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-14
tags:
- attack.execution
- attack.defense-evasion
- attack.t1059.004
- attack.t1036
logsource:
product: linux
category: process_creation
detection:
selection:
ParentCommandLine: 'bash -i'
anomaly1:
CommandLine|contains:
- '-c import '
- 'base64'
- 'pty.spawn'
anomaly2:
Image|endswith:
- 'whoami'
- 'iptables'
- '/ncat'
- '/nc'
- '/netcat'
condition: selection and 1 of anomaly*
falsepositives:
- Legitimate software that uses these patterns
level: medium