Merge PR #5627 from @tsale - Filename with Embedded Base64 Commands

new: Suspicious Filename with Embedded Base64 Commands new: Potentially Suspicious Long Filename Pattern - Linux --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Co-authored-by: swachchhanda000 <87493836+swachchhanda000@users.noreply.github.com> Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
2025-11-24 06:33:42 -08:00
parent 9d58e38bbc
commit 5a2885c310
2 changed files with 59 additions and 0 deletions
@@ -0,0 +1,32 @@
+title: Potentially Suspicious Long Filename Pattern - Linux
+id: 11629c4d-0fe6-465b-be62-b39a1c442aad
+status: experimental
+description: |
+    Detects the creation of files with unusually long filenames (100 or more characters), which may indicate obfuscation techniques used by malware such as VShell.
+    This is a hunting rule to identify potential threats that use long filenames to evade detection. Keep in mind that on a legitimate system, such long filenames can and are common. Run this detection in the context of threat hunting rather than alerting.
+    Adjust the threshold of filename length as needed based on your environment.
+references:
+    - https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
+author: '@kostastsale'
+date: 2025-11-22
+tags:
+    - attack.execution
+    - attack.t1059.004
+    - attack.defense-evasion
+    - attack.t1027
+    - detection.threat-hunting
+logsource:
+    product: linux
+    category: file_event
+detection:
+    selection:
+        TargetFilename|re: '[^/]{100,}$'
+    filter_optional_known_good:
+        TargetFilename|startswith:
+            - '/run/systemd/units/invocation:systemd-fsck@'
+            - '/sys/firmware/'
+            - '/var/log/journal/'
+    condition: selection and not 1 of filter_optional_*
+falsepositives:
+    - Legitimate files with long filenames.
+level: low
@@ -0,0 +1,27 @@
+title: Suspicious Filename with Embedded Base64 Commands
+id: 179b3686-6271-4d87-807d-17d843a8af73
+status: experimental
+description: |
+    Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
+    These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
+references:
+    - https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
+author: '@kostastsale'
+date: 2025-11-22
+tags:
+    - attack.execution
+    - attack.t1059.004
+    - attack.defense-evasion
+    - attack.t1027
+logsource:
+    product: linux
+    category: file_event
+detection:
+    selection:
+        TargetFilename|contains:
+            - '{echo'
+            - '{base64,-d}'
+    condition: selection
+falsepositives:
+    - Legitimate files with similar naming patterns (very unlikely).
+level: high