diff --git a/rules/linux/lnx_susp_jexboss.yml b/rules/linux/lnx_susp_jexboss.yml
new file mode 100644
index 000000000..9b7a91e7a
--- /dev/null
+++ b/rules/linux/lnx_susp_jexboss.yml
@@ -0,0 +1,17 @@
+title: JexBoss Command Sequence
+description: Detects suspicious command sequence that JexBoss
+references:
+    - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
+author: Florian Roth
+date: 2017/08/24
+logsource:
+    product: linux
+detection:
+    selection1: 
+        - 'bash -c /bin/bash'
+    selection2:
+        - '&/dev/tcp/'
+    condition: selection1 and selection2
+falsepositives:
+    - Unknown
+level: high