title: JexBoss Command Sequence
id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
description: Detects suspicious command sequence that JexBoss
author: Florian Roth
date: 2017/08/24
references:
    - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
logsource:
    product: linux
detection:
    selection1:
        - 'bash -c /bin/bash'
    selection2:
        - '&/dev/tcp/'
    condition: selection1 and selection2
falsepositives:
    - Unknown
level: high
tags:
    - attack.execution
    - attack.t1059.004