title: Suspicious Activity in Shell Commands
description: Detects suspicious shell commands used in various exploit codes (see references)
reference: 
    - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
    - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121
    - http://pastebin.com/FtygZ1cg
    - https://artkond.com/2017/03/23/pivoting-guide/
author: Florian Roth
logsource:
    product: linux
detection:
    keywords:
        # Generic suspicious commands
        - 'wget * - http* | perl'
        - 'wget * - http* | sh'
        - 'wget * - http* | bash'
        - 'python -m SimpleHTTPServer'
        - 'import pty; pty.spawn'
        # Malware 
        - '*wget *; chmod +x*'
        - '*wget *; chmod 777 *'
        - '*cd /tmp || cd /var/run || cd /mnt*'
        # Apache Struts in-the-wild exploit codes  
        - 'stop;service iptables stop;'
        - 'stop;SuSEfirewall2 stop;'
        - 'chmod 777 2020'
        - '">>/etc/rc.local;'
        - 'wget -c *;chmod 777'
        # Metasploit framework exploit codes
        - 'base64 -d /tmp/'
        - ' | base64 -d'
        - '/bin/chmod u+s'
        - 'chmod +s /tmp/'
        - 'chmod u+s /tmp/'
        - '/tmp/haxhax'
        - '/tmp/ns_sploit'
        - 'nc -l -p '
        - 'cp /bin/ksh '
        - 'cp /bin/sh '
        - ' /tmp/*.b64 '
        - '/tmp/ysocereal.jar'
    condition: keywords
falsepositives:
    - Unknown
level: high