id: bash-scanner info: name: Bash Scanner author: ransomsec severity: info description: Indicator for bash Dangerous Commands – You Should Never Execute on Linux reference: - https://www.tecmint.com/10-most-dangerous-commands-you-should-never-execute-on-linux/ - https://phoenixnap.com/kb/dangerous-linux-terminal-commands tags: bash,shell,sh file: - extensions: - sh extractors: - type: regex name: fork-bomb regex: - ":(){:|:&};:" - type: regex name: rm commad found regex: - "rm -(f|r)" - "rm -(fr|rf)" - type: regex name: code injection regex: - "/bin/(sh|bash) -" - "eval" - "echo -c" - "/bin/(sh|bash) -c" - "(sh|bash) -" - "(sh|bash) -c" - type: regex name: file manipulation regex: - "cat /dev/null >" - type: regex name: unknown filedownload regex: - '(wget|curl) (https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]\.[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]$'