rules/linux/lnx_shell_susp_commands.yml

title: Suspicious Activity in Shell Commands
id: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695
description: Detects suspicious shell commands used in various exploit codes (see references)
references:
    - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
    - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121
    - http://pastebin.com/FtygZ1cg
    - https://artkond.com/2017/03/23/pivoting-guide/
author: Florian Roth
date: 2017/08/21
modified: 2019/02/05
logsource:
    product: linux
detection:
    keywords:
        # Generic suspicious commands
        - 'wget * - http* | perl'
        - 'wget * - http* | sh'
        - 'wget * - http* | bash'
        - 'python -m SimpleHTTPServer'
        - '-m http.server'  # Python 3
        - 'import pty; pty.spawn*'
        - 'socat exec:*'
        - 'socat -O /tmp/*'
        - 'socat tcp-connect*'
        - '*echo binary >>*'
        # Malware 
        - '*wget *; chmod +x*'
        - '*wget *; chmod 777 *'
        - '*cd /tmp || cd /var/run || cd /mnt*'
        # Apache Struts in-the-wild exploit codes  
        - '*stop;service iptables stop;*'
        - '*stop;SuSEfirewall2 stop;*'
        - 'chmod 777 2020*'
        - '*>>/etc/rc.local'
        # Metasploit framework exploit codes
        - '*base64 -d /tmp/*'
        - '* | base64 -d *'
        - '*/chmod u+s *'
        - '*chmod +s /tmp/*'
        - '*chmod u+s /tmp/*'
        - '* /tmp/haxhax*'
        - '* /tmp/ns_sploit*'
        - 'nc -l -p *'
        - 'cp /bin/ksh *'
        - 'cp /bin/sh *'
        - '* /tmp/*.b64 *'
        - '*/tmp/ysocereal.jar*'
        - '*/tmp/x *'
        - '*; chmod +x /tmp/*'
        - '*;chmod +x /tmp/*'
    condition: keywords
falsepositives:
    - Unknown
level: high
Rule: Suspicious activity in shell commands 2017-03-14 14:54:08 +01:00			`title: Suspicious Activity in Shell Commands`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695`
Rule: Suspicious activity in shell commands 2017-03-14 14:54:08 +01:00			`description: Detects suspicious shell commands used in various exploit codes (see references)`
Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00			`references:`
Rule: Suspicious activity in shell commands 2017-03-14 14:54:08 +01:00			`- http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html`
			`- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121`
Changes to Linux suspicious activity rule 2017-03-27 10:29:51 +02:00			`- http://pastebin.com/FtygZ1cg`
Improved linux suspicious activity rule 2017-03-27 15:21:39 +02:00			`- https://artkond.com/2017/03/23/pivoting-guide/`
Rules: Linux commands and log entries of interest 2017-03-25 19:59:45 +01:00			`author: Florian Roth`
Rule: extended suspicious command lines 2019-02-05 15:58:15 +01:00			`date: 2017/08/21`
			`modified: 2019/02/05`
Rule: Suspicious activity in shell commands 2017-03-14 14:54:08 +01:00			`logsource:`
			`product: linux`
			`detection:`
			`keywords:`
Improved Linux Shell Activity Rule 2017-03-15 09:07:59 +01:00			`# Generic suspicious commands`
Rule: Suspicious activity in shell commands 2017-03-14 14:54:08 +01:00			`- 'wget * - http* \| perl'`
			`- 'wget * - http* \| sh'`
			`- 'wget * - http* \| bash'`
Rule: Linux shell more suspicious keywords 2017-03-21 10:23:12 +01:00			`- 'python -m SimpleHTTPServer'`
Rule: extended suspicious command lines 2019-02-05 15:58:15 +01:00			`- '-m http.server' # Python 3`
			`- 'import pty; pty.spawn*'`
			`- 'socat exec:*'`
			`- 'socat -O /tmp/*'`
			`- 'socat tcp-connect*'`
			`- 'echo binary >>'`
Changes to Linux suspicious activity rule 2017-03-27 10:29:51 +02:00			`# Malware`
			`- 'wget ; chmod +x*'`
			`- 'wget ; chmod 777 *'`
			`- 'cd /tmp \|\| cd /var/run \|\| cd /mnt'`
Improved Linux Shell Activity Rule 2017-03-15 09:07:59 +01:00			`# Apache Struts in-the-wild exploit codes`
Rule: extended suspicious command lines 2019-02-05 15:58:15 +01:00			`- 'stop;service iptables stop;'`
			`- 'stop;SuSEfirewall2 stop;'`
			`- 'chmod 777 2020*'`
			`- '*>>/etc/rc.local'`
Rule: Suspicious activity in shell commands 2017-03-14 14:54:08 +01:00			`# Metasploit framework exploit codes`
Rule: extended suspicious command lines 2019-02-05 15:58:15 +01:00			`- 'base64 -d /tmp/'`
			`- '* \| base64 -d *'`
			`- '/chmod u+s '`
			`- 'chmod +s /tmp/'`
			`- 'chmod u+s /tmp/'`
			`- '* /tmp/haxhax*'`
			`- '* /tmp/ns_sploit*'`
			`- 'nc -l -p *'`
			`- 'cp /bin/ksh *'`
			`- 'cp /bin/sh *'`
			`- '* /tmp/.b64 '`
			`- '/tmp/ysocereal.jar'`
			`- '/tmp/x '`
			`- '; chmod +x /tmp/'`
			`- ';chmod +x /tmp/'`
Rule: Suspicious activity in shell commands 2017-03-14 14:54:08 +01:00			`condition: keywords`
			`falsepositives:`
			`- Unknown`
			`level: high`