auditd-base64-exec-behavior Scenario

« auditd-base64-exec-behavior »
v0.5 by crowdsecurity
Attack scenarioservice:linuxspoofable:0MITRE:T1059confidence:2

Detect post-exploitation behaviour : base64 + interpreter (perl/bash/python)

Installation

cscli scenarios install crowdsecurity/auditd-base64-exec-behavior

Description

Attempt to detect a process that is invoking both base64 and an interpreter such as sh, bash, perl, dash, zsh or python.

This pattern is usually seen in post-exploitation behaviors to have "file less" backdoors :

echo ZWNobyAnbWFsaWNpb3VzIHBheWxvYWQnCg== | base64 -d | bash

YAML Configuration

1type: conditional
2#debug: true
3name: crowdsecurity/auditd-base64-exec-behavior
4description: "Detect post-exploitation behaviour : base64 + interpreter (perl/bash/python)"
5filter: evt.Meta.log_type == 'execve'
6#grouping by ppid to track a processs invoking base64 and interpreter in sequence
7groupby: evt.Meta.ppid
8condition: |
9  any(queue.Queue, {.Meta.exe == "/usr/bin/base64"})
10  and (
11    any(queue.Queue, { .Meta.exe matches '^\\/(usr\\/(local\\/)?)?bin\\/(sh|bash|perl|dash|zsh)$' })
12    or
13    any(queue.Queue, { .Meta.exe startsWith "/usr/bin/python" })
14  )
15leakspeed: 1s
16capacity: -1
17blackhole: 1m
18labels:
19  service: linux
20  confidence: 2
21  spoofable: 0
22  classification:
23    - attack.T1059.004
24  behavior: "linux:post-exploitation"
25  label: "Post Exploitation command execution from base64 encoded payload"
26  remediation: false
27scope:
28  type: pid
29  expression: evt.Meta.ppid
30

Hub configuration

« auditd-base64-exec-behavior »v0.5 by crowdsecurityAttack scenarioservice:linuxspoofable:0MITRE:T1059confidence:2

« auditd-base64-exec-behavior »
v0.5 by crowdsecurity
Attack scenarioservice:linuxspoofable:0MITRE:T1059confidence:2