Techniques
Sample rules
Linux Shell Pipe to Shell
- source: sigma
- technicques:
- t1140
Description
Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
Detection logic
condition: all of selection*
selection:
CommandLine|startswith:
- 'sh -c '
- 'bash -c '
selection_exec:
- CommandLine|contains:
- '| bash '
- '| sh '
- '|bash '
- '|sh '
- CommandLine|endswith:
- '| bash'
- '| sh'
- '|bash'
- ' |sh'
Interactive Bash Suspicious Children
- source: sigma
- technicques:
- t1036
- t1059
- t1059.004
Description
Detects suspicious interactive bash as a parent to rather uncommon child processes
Detection logic
anomaly1:
CommandLine|contains:
- '-c import '
- base64
- pty.spawn
anomaly2:
Image|endswith:
- whoami
- iptables
- /ncat
- /nc
- /netcat
condition: selection and 1 of anomaly*
selection:
ParentCommandLine: bash -i