48 lines
1.1 KiB
YAML
48 lines
1.1 KiB
YAML
id: bash-scanner
|
||
|
||
info:
|
||
name: Bash Scanner
|
||
author: ransomsec
|
||
severity: info
|
||
description: Indicator for bash Dangerous Commands – You Should Never Execute on Linux
|
||
reference:
|
||
- https://www.tecmint.com/10-most-dangerous-commands-you-should-never-execute-on-linux/
|
||
- https://phoenixnap.com/kb/dangerous-linux-terminal-commands
|
||
tags: bash,shell,sh
|
||
|
||
file:
|
||
- extensions:
|
||
- sh
|
||
|
||
extractors:
|
||
- type: regex
|
||
name: fork-bomb
|
||
regex:
|
||
- ":(){:|:&};:"
|
||
|
||
- type: regex
|
||
name: rm commad found
|
||
regex:
|
||
- "rm -(f|r)"
|
||
- "rm -(fr|rf)"
|
||
|
||
- type: regex
|
||
name: code injection
|
||
regex:
|
||
- "/bin/(sh|bash) -"
|
||
- "eval"
|
||
- "echo -c"
|
||
- "/bin/(sh|bash) -c"
|
||
- "(sh|bash) -"
|
||
- "(sh|bash) -c"
|
||
|
||
- type: regex
|
||
name: file manipulation
|
||
regex:
|
||
- "cat /dev/null >"
|
||
|
||
- type: regex
|
||
name: unknown filedownload
|
||
regex:
|
||
- '(wget|curl) (https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]\.[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]$'
|