Create attachment_base64_encoded_bash_command_in_filename.yml

detection-rules/attachment_base64_encoded_bash_command_in_filename.yml

@@ -0,0 +1,39 @@
+name: "Attachment: Base64 encoded bash command in filename"
+description: "This rule detects a fileless attack technique where a malicious payload is encoded directly into a filename. This technique is used by threats like VShell. The rule is designed to find these malicious filenames both in direct attachments and within archived files (like .zip, .rar, etc.)."
+authors:
+  - twitter: "vector_sec"
+type: rule
+severity: high
+source: |
+  type.inbound
+  and length(attachments) > 0
+  and any(attachments,
+          (
+            .file_type in $file_extensions_common_archives
+            or strings.contains(.file_name, "{")
+          )
+          and any(beta.expand_archives(.).files,
+                  strings.contains(.file_name, "{")
+                  and (
+                    strings.icontains(.file_name, 'echo,')
+                    or strings.icontains(.file_name, 'base64')
+                    or regex.icontains(.file_name, '\bbash\b')
+                    or any(beta.scan_base64(.file_name, ignore_padding=true),
+                           length(.) >= 10
+                    )
+                  )
+          )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Encryption"
+  - "Evasion"
+  - "Suspicious Attachment"
+detection_methods:
+  - "Archive analysis"
+  - "File analysis"
+  - "Content analysis"
+id: "819f69c8-91c2-5261-8c13-d177c46bff66"
+references:
+- https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/