id: bash-scanner

info:
  name: Bash Scanner
  author: ransomsec
  severity: info
  description: Indicator for bash Dangerous Commands – You Should Never Execute on Linux
  reference:
    - https://www.tecmint.com/10-most-dangerous-commands-you-should-never-execute-on-linux/
    - https://phoenixnap.com/kb/dangerous-linux-terminal-commands
  tags: bash,file,shell,sh
file:
  - extensions:
      - sh

    extractors:
      - type: regex
        name: fork-bomb
        regex:
          - ":(){:|:&};:"

      - type: regex
        name: rm command found
        regex:
          - "rm -(f|r)"
          - "rm -(fr|rf)"

      - type: regex
        name: code injection
        regex:
          - "/bin/(sh|bash) -"
          - "eval"
          - "echo -c"
          - "/bin/(sh|bash) -c"
          - "(sh|bash) -"
          - "(sh|bash) -c"

      - type: regex
        name: file manipulation
        regex:
          - "cat /dev/null >"

      - type: regex
        name: unknown filedownload
        regex:
          - '(wget|curl) (https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]\.[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]$'

# digest: 4a0a00473045022100db6e5f84fe8da8728aa4f05dd83a5d033d062fe552a148d3cf2fd599277d1eaf022040d4296bef6df6b57b8381af30fc75730d9bf8103ce7d37bdcfbe91317fc5344:922c64590222798bb761d5b6d8e72950