Adversaries may execute scripts from suspicious directories to evade detection or establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and mitigate lateral movement risks.
Detection Rule
title: Execution Of Script Located In Potentially Suspicious Directory
id: 30bcce26-51c5-49f2-99c8-7b59e3af36c7
status: test
description: Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.execution
logsource:
product: linux
category: process_creation
detection:
selection_img:
Image|endswith:
- '/bash'
- '/csh'
- '/dash'
- '/fish'
- '/ksh'
- '/sh'
- '/zsh'
selection_flag:
CommandLine|contains: ' -c '
selection_paths:
# Note: Add more suspicious paths
CommandLine|contains: '/tmp/'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
imProcessCreate
| where (TargetProcessName endswith "/bash" or TargetProcessName endswith "/csh" or TargetProcessName endswith "/dash" or TargetProcessName endswith "/fish" or TargetProcessName endswith "/ksh" or TargetProcessName endswith "/sh" or TargetProcessName endswith "/zsh") and TargetProcessCommandLine contains " -c " and TargetProcessCommandLine contains "/tmp/"Scenario: Scheduled System Maintenance Script
Description: A legitimate system maintenance script (e.g., schtasks.exe or Task Scheduler) is executed from a directory like C:\Windows\System32\ or C:\Program Files\.
Filter/Exclusion: Exclude processes originating from known system directories (e.g., C:\Windows\, C:\Program Files\, C:\Program Files (x86)\) using a process command line or image path filter.
Scenario: Admin PowerShell Script for Patching
Description: An administrator runs a PowerShell script (e.g., PowerShell.exe) from a directory like C:\Temp\ or C:\Scripts\ to apply patches or configure systems.
Filter/Exclusion: Exclude processes with the PowerShell.exe image path that are initiated by a user with administrative privileges and have a command line containing known patching or configuration tools (e.g., Update-Package, Install-Module).
Scenario: Database Backup Job Execution
Description: A database backup job (e.g., sqlcmd.exe, mysqldump.exe, or pg_dump.exe) is executed from a script directory (e.g., C:\Backup\Scripts\).
Filter/Exclusion: Exclude processes that match known backup tools and are initiated by a service account or scheduled task associated with the database server.
Scenario: User-Initiated Script for Reporting
Description: A user runs a script (e.g., python.exe, node.exe, or ruby.exe) from a personal script directory (e.g., C:\Users\JohnDoe\Documents\Scripts\) to generate a report.
Filter/Exclusion: Exclude processes initiated by users with a known script directory in their home folder, using