KQL Search

Query Details

HomeAI ToolsDevice Query

Base64shebang

Query

# Rule: Base64 Encoded Shebang Detection

## Description
Identifies potential malicious scripts by detecting processes with Base64 encoded shebang lines in their command lines. Shebang lines are typically used to specify the script interpreter, and encoding them in Base64 can indicate attempts to obfuscate malicious activity.

- Source: [Sigma rule for detecting Base64 encoded shebang lines in Linux](https://github.com/SigmaHQ/sigma/blob/0bb6f0c0d75ae3e1c37f9ab77d68f20cdb32ecd3/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml)

## Detection Logic
- Monitors process command lines for Base64 encoded shebang lines, which are indicative of script obfuscation. Specifically, it looks for:
  - `IyEvYmluL2Jhc2` (Base64 for `#!/bin/bash`)
  - `IyEvYmluL2Rhc2` (Base64 for `#!/bin/dash`)
  - `IyEvYmluL3pza` (Base64 for `#!/bin/zsh`)
  - `IyEvYmluL2Zpc2;IyEvYmluL3No` (Base64 for `#!/bin/fish` and `#!/bin/sh`)

## Tags
- Base64 Encoding
- Shebang Detection
- Process Events
- Linux

## Search Query
```kql
DeviceProcessEvents
| where ProcessCommandLine has_any ("IyEvYmluL2Jhc2", "IyEvYmluL2Rhc2", "IyEvYmluL3pza", "IyEvYmluL2Zpc2;IyEvYmluL3No")

Explanation

This query is designed to detect potentially malicious scripts on Linux systems by looking for processes that have Base64 encoded shebang lines in their command lines. Shebang lines are used to specify the interpreter for a script (like #!/bin/bash), and encoding them in Base64 can be a method to hide malicious activity.

Key Points:

  • Purpose: Identify scripts that may be trying to hide their true nature by encoding their shebang lines in Base64. - Detection: The query checks for specific Base64 encoded strings that correspond to common shebang lines for various interpreters (e.g., bash, dash, zsh, fish, sh).
  • Indicators: The encoded strings it looks for include:
    • IyEvYmluL2Jhc2 (Base64 for #!/bin/bash)
    • IyEvYmluL2Rhc2 (Base64 for #!/bin/dash)
    • IyEvYmluL3pza (Base64 for #!/bin/zsh)
    • IyEvYmluL2Zpc2;IyEvYmluL3No (Base64 for #!/bin/fish and #!/bin/sh)

KQL Query:

The KQL query filters process events to find any command lines that contain these specific Base64 encoded strings.

DeviceProcessEvents
| where ProcessCommandLine has_any ("IyEvYmluL2Jhc2", "IyEvYmluL2Rhc2", "IyEvYmluL3pza", "IyEvYmluL2Zpc2;IyEvYmluL3No")

Tags:

  • Base64 Encoding: The method used to encode the shebang lines.
  • Shebang Detection: The focus on identifying shebang lines.
  • Process Events: The type of events being monitored.
  • Linux: The operating system targeted by this detection rule.

In summary, this query helps in identifying obfuscated scripts that might be used for malicious purposes by detecting Base64 encoded shebang lines in process command lines on Linux systems.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 8, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsLinux

Operators

has_anywhere

Actions