SigmaHQ/rules/linux/lnx_susp_jexboss.yml

title: JexBoss Command Sequence
description: Detects suspicious command sequence that JexBoss
references:
    - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
author: Florian Roth
date: 2017/08/24
logsource:
    product: linux
detection:
    selection1: 
        - 'bash -c /bin/bash'
    selection2:
        - '&/dev/tcp/'
    condition: selection1 and selection2
falsepositives:
    - Unknown
level: high
Linux JexBoss back connect shell 2018-11-08 22:21:21 +00:00			`title: JexBoss Command Sequence`
			`description: Detects suspicious command sequence that JexBoss`
			`references:`
			`- https://www.us-cert.gov/ncas/analysis-reports/AR18-312A`
			`author: Florian Roth`
			`date: 2017/08/24`
			`logsource:`
			`product: linux`
			`detection:`
			`selection1:`
			`- 'bash -c /bin/bash'`
			`selection2:`
			`- '&/dev/tcp/'`
			`condition: selection1 and selection2`
			`falsepositives:`
			`- Unknown`
			`level: high`