id: bash-scanner

info:
  name: Bash Scanner
  author: ransomsec
  severity: info
  description: Indicator for bash Dangerous Commands – You Should Never Execute on Linux
  reference:
    - https://www.tecmint.com/10-most-dangerous-commands-you-should-never-execute-on-linux/
    - https://phoenixnap.com/kb/dangerous-linux-terminal-commands
  tags: bash,file,shell,sh

file:
  - extensions:
      - sh

    extractors:
      - type: regex
        name: fork-bomb
        regex:
          - ":(){:|:&};:"

      - type: regex
        name: rm command found
        regex:
          - "rm -(f|r)"
          - "rm -(fr|rf)"

      - type: regex
        name: code injection
        regex:
          - "/bin/(sh|bash) -"
          - "eval"
          - "echo -c"
          - "/bin/(sh|bash) -c"
          - "(sh|bash) -"
          - "(sh|bash) -c"

      - type: regex
        name: file manipulation
        regex:
          - "cat /dev/null >"

      - type: regex
        name: unknown filedownload
        regex:
          - '(wget|curl) (https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]\.[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]$'
# digest: 4a0a004730450221009d958257bd9ea7aa63ea47fb4e99dde8f10a3c9899c1d9b1af8ae2f2d914d8290220350c7869bfb9bf6e242475bda1bd3bae8410b28d2288c03e6b139552091123f5:922c64590222798bb761d5b6d8e72950