[PR #3113] modified rule: Attachment: Base64 encoded bash command in filename

Author: github-actions[bot]

detection-rules/3113_attachment_base64_encoded_bash_command_in_filename.yml

@@ -1,4 +1,10 @@
-source: |-
+name: "Attachment: Base64 encoded bash command in filename"
+description: "This rule detects a fileless attack technique where a malicious payload is encoded directly into a filename. This technique, used by threats like VShell. The rule is designed to find these malicious filenames both in direct attachments and within archived files (like .zip, .rar, etc.)."
+authors:
+  - twitter: "vector_sec"
+type: rule
+severity: high
+source: |
   type.inbound
   and length(attachments) > 0
   and any(attachments,
@@ -11,21 +17,19 @@ source: |-
                   and any(beta.scan_base64(.file_name), length(.) > 1)
           )
   )
-type: rule
-name: 'Attachment: Base64 encoded bash command in filename'
-authors:
-  - twitter: "vector_sec"
-description: This rule detects a fileless attack technique where a malicious payload
-  is encoded directly into a filename. This technique, used by threats like VShell.
-  The rule is designed to find these malicious filenames both in direct attachments
-  and within archived files (like .zip, .rar, etc.).
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Encryption"
+  - "Evasion"
+  - "Suspicious Attachment"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+  - "Content analysis"
+id: "0fb1974d-8fd6-556b-a352-d3c43e1259b1"
 references:
 - https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
-tags:
-- Suspicious Attachment
-- Malware
-severity: high
-id: "0fb1974d-8fd6-556b-a352-d3c43e1259b1"
 og_id: "819f69c8-91c2-5261-8c13-d177c46bff66"
 testing_pr: 3113
-testing_sha: 28fb8c0bb5d109505f6176bd07727cf7945163c0
+testing_sha: 5002b3c72a22f9f236c1cbf80a982274dcd80a66