Sigma rules for CVE-2016-9401
4 rules · scoped to cve · back to CVE-2016-9401
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Interactive Bash Suspicious Children
id: ea3ecad2-db86-4a89-ad0b-132a10d2db55
status: test
description: Detects suspicious interactive bash as a parent to rather uncommon child processes
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-14
tags:
- attack.execution
- attack.stealth
- attack.t1059.004
- attack.t1036
logsource:
product: linux
category: process_creation
detection:
selection:
ParentCommandLine: 'bash -i'
anomaly1:
CommandLine|contains:
- '-c import '
- 'base64'
- 'pty.spawn'
anomaly2:
Image|endswith:
- 'whoami'
- 'iptables'
- '/ncat'
- '/nc'
- '/netcat'
condition: selection and 1 of anomaly*
falsepositives:
- Legitimate software that uses these patterns
level: medium
title: Indirect Command Execution From Script File Via Bash.EXE
id: 2d22a514-e024-4428-9dba-41505bd63a5b
related:
- id: 5edc2273-c26f-406c-83f3-f4d948e740dd
type: similar
status: test
description: |
Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly.
This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Bash/
- https://linux.die.net/man/1/bash
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-15
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith:
- ':\Windows\System32\bash.exe'
- ':\Windows\SysWOW64\bash.exe'
- OriginalFileName: 'Bash.exe'
filter_main_cli_flag:
CommandLine|contains:
# Note: we're not interested in flags being passed first
- 'bash.exe -'
- 'bash -'
filter_main_no_cli:
CommandLine: null
filter_main_empty:
CommandLine: ''
filter_main_no_flag:
CommandLine:
- 'bash.exe'
- 'bash'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
title: Indirect Inline Command Execution Via Bash.EXE
id: 5edc2273-c26f-406c-83f3-f4d948e740dd
related:
- id: 2d22a514-e024-4428-9dba-41505bd63a5b
type: similar
status: test
description: |
Detects execution of Microsoft bash launcher with the "-c" flag.
This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Bash/
author: frack113
date: 2021-11-24
modified: 2023-08-15
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- ':\Windows\System32\bash.exe'
- ':\Windows\SysWOW64\bash.exe'
- OriginalFileName: 'Bash.exe'
selection_cli:
CommandLine|contains: ' -c '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Bash Interactive Shell
id: 6104e693-a7d6-4891-86cb-49a258523559
status: test
description: Detects execution of the bash shell with the interactive flag "-i".
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
- https://linux.die.net/man/1/bash
author: '@d4ns4n_'
date: 2023-04-07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/bash'
CommandLine|contains: ' -i '
condition: selection
falsepositives:
- Unknown
level: low