[Rule Tuning] Fix Interactive Terminal Spawned via Perl bypasses #1654
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
hello there i am youghourta ghennai from Octodet .
i wanted to share some bypasses about this rule 'Interactive Terminal Spawned via Perl' .
##Problem :
this rule is supposed to detect shell spawning via perl .
the shell spawning could be done by using this command
perl -e 'exec "/bin/sh";'
in your old rule you are only detecting the exact command like that :
event.category:process and event.type:(start or process_started) and process.name:perl and process.args:("exec \"/bin/sh\";" or "exec \"/bin/dash\";" or "exec \"/bin/bash\";")
here this could be bypassed by using one of this tricks :
perl -e 'exec "/bin/sh"'
perl -e 'exec "/bin/////sh";'
and also :
perl -e 'exec "/bin/zsh";'
and this is what i present as a solution :
process where event.type in ("start" , "process_started") and process.name :("perl*") and process.args regex("exec*/*sh*")
Thanks for your time .