Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntlowexperimental

Potentially Suspicious Long Filename Pattern - Linux

Detects the creation of files with unusually long filenames (100 or more characters), which may indicate obfuscation techniques used by malware such as VShell. This is a hunting rule to identify potential threats that use long filenames to evade detection. Keep in mind that on a legitimate system, such long filenames can and are common. Run this detection in the context of threat hunting rather than alerting. Adjust the threshold of filename length as needed based on your environment.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
kostastsaleCreated Sat Nov 2211629c4d-0fe6-465b-be62-b39a1c442aadlinux
Hunting Hypothesis
Log Source
LinuxFile Event
ProductLinux← raw: linux
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        TargetFilename|re: '[^/]{100,}$'
    filter_optional_known_good:
        TargetFilename|startswith:
            - '/run/systemd/units/invocation:systemd-fsck@'
            - '/sys/firmware/'
            - '/var/log/journal/'
    condition: selection and not 1 of filter_optional_*
False Positives

Legitimate files with long filenames.

References
1
Resolving title…
trellix.com
MITRE ATT&CK

Other

detection.threat-hunting
Rule Metadata
Rule ID
11629c4d-0fe6-465b-be62-b39a1c442aad
Status
experimental
Level
low
Type
Threat Hunt
Created
Sat Nov 22
Author
kostastsale
Path
rules-threat-hunting/linux/file/file_event/file_event_lnx_susp_long_filename_pattern.yml
Raw Tags
attack.executionattack.t1059.004attack.defense-evasionattack.t1027detection.threat-hunting
View on GitHub