Suspicious Filename with Embedded Base64 Commands

Original Source: [Sigma source]

Title: Suspicious Filename with Embedded Base64 Commands
Status: experimental
Description:Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts. These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
References:
-https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
Author: @kostastsale
Date: 2025-11-22
modified:None
Tags:

-'attack.execution'
-'attack.t1059.004'
-'attack.defense-evasion'
-'attack.t1027'

Logsource:

product: linux
category: file_event

Detection:
selection:
TargetFilename|contains:
-'{echo'
-'{base64,-d}'

condition:selection
Falsepositives:
-Legitimate files with similar naming patterns (very unlikely).
Level: high

Sign Up to Personalize and Manage Your Detection

Suspicious Filename with Embedded Base64 Commands