← Back to Explore
sigmamediumHunting
Linux Base64 Encoded Shebang In CLI
Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
Detection Query
selection:
CommandLine|contains:
- IyEvYmluL2Jhc2
- IyEvYmluL2Rhc2
- IyEvYmluL3pza
- IyEvYmluL2Zpc2
- IyEvYmluL3No
condition: selection
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-09-15
Data Sources
linuxProcess Creation Events
Platforms
linux
References
Tags
attack.defense-evasionattack.t1140
Raw Content
title: Linux Base64 Encoded Shebang In CLI
id: fe2f9663-41cb-47e2-b954-8a228f3b9dff
status: test
description: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
references:
- https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html
- https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-15
tags:
- attack.defense-evasion
- attack.t1140
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|contains:
- "IyEvYmluL2Jhc2" # Note: #!/bin/bash"
- "IyEvYmluL2Rhc2" # Note: #!/bin/dash"
- "IyEvYmluL3pza" # Note: #!/bin/zsh"
- "IyEvYmluL2Zpc2" # Note: #!/bin/fish
- "IyEvYmluL3No" # Note: # !/bin/sh"
condition: selection
falsepositives:
- Legitimate administration activities
level: medium