Detectionmediumtest

Linux Shell Pipe to Shell

Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Mon Mar 14Updated Tue Jul 26880973f3-9708-491c-a77b-2a35a1921158linux

Log Source

LinuxProcess Creation

ProductLinux← raw: linux

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        CommandLine|startswith:
            - 'sh -c '
            - 'bash -c '
    selection_exec:
        - CommandLine|contains:
              - '| bash '
              - '| sh '
              - '|bash '
              - '|sh '
        - CommandLine|endswith:
              - '| bash'
              - '| sh'
              - '|bash'
              - ' |sh'
    condition: all of selection*

False Positives

Legitimate software that uses these patterns

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1140 · Deobfuscate/Decode Files or Information

Rule Metadata

Rule ID

880973f3-9708-491c-a77b-2a35a1921158

Status

test

Level

medium

Type

Detection

Created

Mon Mar 14

Modified

Tue Jul 26

Author

Florian Roth (Nextron Systems)

Path

rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml

Raw Tags

attack.defense-evasionattack.t1140

View on GitHub