rules/linux/process_creation/proc_creation_lnx_base64_execution.yml

title: Linux Base64 Encoded Pipe to Shell
id: ba592c6d-6888-43c3-b8c6-689b8fe47337
status: test
description: Detects suspicious process command line that uses base64 encoded input for execution with a shell
references:
    - https://github.com/arget13/DDexec
    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: pH-T (Nextron Systems)
date: 2022-07-26
modified: 2023-06-16
tags:
    - attack.defense-evasion
    - attack.t1140
logsource:
    product: linux
    category: process_creation
detection:
    selection_base64:
        CommandLine|contains: 'base64 '
    selection_exec:
        - CommandLine|contains:
              - '| bash '
              - '| sh '
              - '|bash '
              - '|sh '
        - CommandLine|endswith:
              - ' |sh'
              - '| bash'
              - '| sh'
              - '|bash'
    condition: all of selection_*
falsepositives:
    - Legitimate administration activities
level: medium
new rules: lnx susp shell exec 2022-07-26 16:40:12 +02:00			`title: Linux Base64 Encoded Pipe to Shell`
			`id: ba592c6d-6888-43c3-b8c6-689b8fe47337`
Merge PR #4841 from @nasbench - Promote older rules status from `experimental` to `test` 2024-05-02 10:34:25 +02:00			`status: test`
new rules: lnx susp shell exec 2022-07-26 16:40:12 +02:00			`description: Detects suspicious process command line that uses base64 encoded input for execution with a shell`
			`references:`
			`- https://github.com/arget13/DDexec`
feat: add rules related to Barracuda ESG exploitation 2023-06-18 22:14:57 +02:00			`- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally`
chore: add nextron authors tag 2023-02-01 11:14:59 +01:00			`author: pH-T (Nextron Systems)`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2022-07-26`
			`modified: 2023-06-16`
$frack113$ Order yaml field 2022-10-25 08:53:44 +02:00			`tags:`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.defense-evasion`
$frack113$ Order yaml field 2022-10-25 08:53:44 +02:00			`- attack.t1140`
new rules: lnx susp shell exec 2022-07-26 16:40:12 +02:00			`logsource:`
			`product: linux`
			`category: process_creation`
			`detection:`
			`selection_base64:`
feat: add rules related to Barracuda ESG exploitation 2023-06-18 22:14:57 +02:00			`CommandLine\|contains: 'base64 '`
new rules: lnx susp shell exec 2022-07-26 16:40:12 +02:00			`selection_exec:`
			`- CommandLine\|contains:`
Merge PR #4482 From @nasbench - Add New Automation Workflows 2023-10-18 11:53:44 +02:00			`- '\| bash '`
			`- '\| sh '`
			`- '\|bash '`
			`- '\|sh '`
new rules: lnx susp shell exec 2022-07-26 16:40:12 +02:00			`- CommandLine\|endswith:`
Merge PR #4482 From @nasbench - Add New Automation Workflows 2023-10-18 11:53:44 +02:00			`- ' \|sh'`
			`- '\| bash'`
			`- '\| sh'`
			`- '\|bash'`
feat: add rules related to Barracuda ESG exploitation 2023-06-18 22:14:57 +02:00			`condition: all of selection_*`
new rules: lnx susp shell exec 2022-07-26 16:40:12 +02:00			`falsepositives:`
			`- Legitimate administration activities`
			`level: medium`