From 5a2885c310724c05a93cde93866bfba69472a6bc Mon Sep 17 00:00:00 2001 From: Kostas Date: Mon, 24 Nov 2025 06:33:42 -0800 Subject: [PATCH] Merge PR #5627 from @tsale - Filename with Embedded Base64 Commands new: Suspicious Filename with Embedded Base64 Commands new: Potentially Suspicious Long Filename Pattern - Linux --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Co-authored-by: swachchhanda000 <87493836+swachchhanda000@users.noreply.github.com> Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...e_event_lnx_susp_long_filename_pattern.yml | 32 +++++++++++++++++++ ..._filename_with_embedded_base64_command.yml | 27 ++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 rules-threat-hunting/linux/file/file_event/file_event_lnx_susp_long_filename_pattern.yml create mode 100644 rules/linux/file_event/file_event_lnx_susp_filename_with_embedded_base64_command.yml diff --git a/rules-threat-hunting/linux/file/file_event/file_event_lnx_susp_long_filename_pattern.yml b/rules-threat-hunting/linux/file/file_event/file_event_lnx_susp_long_filename_pattern.yml new file mode 100644 index 000000000..a587c2e4a --- /dev/null +++ b/rules-threat-hunting/linux/file/file_event/file_event_lnx_susp_long_filename_pattern.yml @@ -0,0 +1,32 @@ +title: Potentially Suspicious Long Filename Pattern - Linux +id: 11629c4d-0fe6-465b-be62-b39a1c442aad +status: experimental +description: | + Detects the creation of files with unusually long filenames (100 or more characters), which may indicate obfuscation techniques used by malware such as VShell. + This is a hunting rule to identify potential threats that use long filenames to evade detection. Keep in mind that on a legitimate system, such long filenames can and are common. Run this detection in the context of threat hunting rather than alerting. + Adjust the threshold of filename length as needed based on your environment. +references: + - https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/ +author: '@kostastsale' +date: 2025-11-22 +tags: + - attack.execution + - attack.t1059.004 + - attack.defense-evasion + - attack.t1027 + - detection.threat-hunting +logsource: + product: linux + category: file_event +detection: + selection: + TargetFilename|re: '[^/]{100,}$' + filter_optional_known_good: + TargetFilename|startswith: + - '/run/systemd/units/invocation:systemd-fsck@' + - '/sys/firmware/' + - '/var/log/journal/' + condition: selection and not 1 of filter_optional_* +falsepositives: + - Legitimate files with long filenames. +level: low diff --git a/rules/linux/file_event/file_event_lnx_susp_filename_with_embedded_base64_command.yml b/rules/linux/file_event/file_event_lnx_susp_filename_with_embedded_base64_command.yml new file mode 100644 index 000000000..679b14980 --- /dev/null +++ b/rules/linux/file_event/file_event_lnx_susp_filename_with_embedded_base64_command.yml @@ -0,0 +1,27 @@ +title: Suspicious Filename with Embedded Base64 Commands +id: 179b3686-6271-4d87-807d-17d843a8af73 +status: experimental +description: | + Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts. + These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns. +references: + - https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/ +author: '@kostastsale' +date: 2025-11-22 +tags: + - attack.execution + - attack.t1059.004 + - attack.defense-evasion + - attack.t1027 +logsource: + product: linux + category: file_event +detection: + selection: + TargetFilename|contains: + - '{echo' + - '{base64,-d}' + condition: selection +falsepositives: + - Legitimate files with similar naming patterns (very unlikely). +level: high