Sigma rules for CVE-2013-1667
2 rules · scoped to cve · back to CVE-2013-1667
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Potential Perl Reverse Shell Execution
id: 259df6bc-003f-4306-9f54-4ff1a08fa38e
status: test
description: Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-04-07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/perl'
CommandLine|contains: ' -e '
selection_content:
- CommandLine|contains|all:
- 'fdopen('
- '::Socket::INET'
- CommandLine|contains|all:
- 'Socket'
- 'connect'
- 'open'
- 'exec'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
title: Perl Inline Command Execution
id: f426547a-e0f7-441a-b63e-854ac5bdf54d
status: test
description: Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\perl.exe'
- OriginalFileName: 'perl.exe' # Also covers perlX.XX.exe
selection_cli:
CommandLine|contains: ' -e'
condition: all of selection_*
falsepositives:
- Unknown
level: medium