id: bash-scanner

info:
  name: Bash Scanner
  author: ransomsec
  severity: info
  description: Indicator for bash Dangerous Commands – You Should Never Execute on Linux
  reference:
    - https://www.tecmint.com/10-most-dangerous-commands-you-should-never-execute-on-linux/
    - https://phoenixnap.com/kb/dangerous-linux-terminal-commands
  tags: bash,file,shell,sh

file:
  - extensions:
      - sh

    extractors:
      - type: regex
        name: fork-bomb
        regex:
          - ":(){:|:&};:"

      - type: regex
        name: rm command found
        regex:
          - "rm -(f|r)"
          - "rm -(fr|rf)"

      - type: regex
        name: code injection
        regex:
          - "/bin/(sh|bash) -"
          - "eval"
          - "echo -c"
          - "/bin/(sh|bash) -c"
          - "(sh|bash) -"
          - "(sh|bash) -c"

      - type: regex
        name: file manipulation
        regex:
          - "cat /dev/null >"

      - type: regex
        name: unknown filedownload
        regex:
          - '(wget|curl) (https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]\.[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]$'
# digest: 4a0a004730450221009ad4de0abc82c172ead956fa70e1a84b3baff31c544569a254f7cf7d255e41cf02200bae7cf84580e9b008236464ea25f105d51c97951521af9c5e96b3ca11a1ad48:922c64590222798bb761d5b6d8e72950