2017-03-14 13:54:08 +00:00
|
|
|
title: Suspicious Activity in Shell Commands
|
|
|
|
|
description: Detects suspicious shell commands used in various exploit codes (see references)
|
|
|
|
|
reference:
|
|
|
|
|
- http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
|
|
|
|
|
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb#L121
|
|
|
|
|
logsource:
|
|
|
|
|
product: linux
|
|
|
|
|
detection:
|
|
|
|
|
keywords:
|
2017-03-15 08:07:59 +00:00
|
|
|
# Generic suspicious commands
|
2017-03-14 13:54:08 +00:00
|
|
|
- 'wget * - http* | perl'
|
|
|
|
|
- 'wget * - http* | sh'
|
|
|
|
|
- 'wget * - http* | bash'
|
2017-03-21 09:23:12 +00:00
|
|
|
- 'python -m SimpleHTTPServer'
|
2017-03-25 18:23:10 +00:00
|
|
|
- 'entered promiscuous mode'
|
2017-03-15 08:07:59 +00:00
|
|
|
# Apache Struts in-the-wild exploit codes
|
|
|
|
|
- 'stop;service iptables stop;'
|
|
|
|
|
- 'stop;SuSEfirewall2 stop;'
|
|
|
|
|
- 'chmod 777 2020'
|
|
|
|
|
- '">>/etc/rc.local;'
|
|
|
|
|
- 'wget -c *;chmod 777'
|
2017-03-14 13:54:08 +00:00
|
|
|
# Metasploit framework exploit codes
|
|
|
|
|
- 'base64 -d /tmp/'
|
2017-03-14 15:33:51 +00:00
|
|
|
- ' | base64 -d'
|
|
|
|
|
- '/bin/chmod u+s'
|
|
|
|
|
- 'chmod +s /tmp/'
|
|
|
|
|
- 'chmod u+s /tmp/'
|
|
|
|
|
- '/tmp/haxhax'
|
|
|
|
|
- '/tmp/ns_sploit'
|
|
|
|
|
- 'nc -l -p '
|
|
|
|
|
- 'cp /bin/ksh '
|
|
|
|
|
- 'cp /bin/sh '
|
|
|
|
|
- ' /tmp/*.b64 '
|
|
|
|
|
- '/tmp/ysocereal.jar'
|
2017-03-14 13:54:08 +00:00
|
|
|
condition: keywords
|
|
|
|
|
falsepositives:
|
|
|
|
|
- Unknown
|
|
|
|
|
level: high
|
