Techniques
Sample rules
Suspicious Filename with Embedded Base64 Commands
- source: sigma
- technicques:
- t1027
- t1059
- t1059.004
Description
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts. These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
Detection logic
condition: selection
selection:
TargetFilename|contains:
- '{echo'
- '{base64,-d}'