Detectionhighexperimental

Suspicious Filename with Embedded Base64 Commands

Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts. These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

kostastsaleCreated Sat Nov 22179b3686-6271-4d87-807d-17d843a8af73linux

Log Source

LinuxFile Event

ProductLinux← raw: linux

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|contains:
            - '{echo'
            - '{base64,-d}'
    condition: selection

False Positives

Legitimate files with similar naming patterns (very unlikely).

References

Resolving title…

trellix.com

MITRE ATT&CK

Tactics

TA0002 · Execution TA0005 · Defense Evasion

Techniques

T1027 · Obfuscated Files or Information

Sub-techniques

T1059.004 · Unix Shell

Rule Metadata

Rule ID

179b3686-6271-4d87-807d-17d843a8af73

Status

experimental

Level

high

Type

Detection

Created

Sat Nov 22

Author

kostastsale

Path

rules/linux/file_event/file_event_lnx_susp_filename_with_embedded_base64_command.yml

Raw Tags

attack.executionattack.t1059.004attack.defense-evasionattack.t1027

View on GitHub