Identify shebang files via Threat Hunting (+ KQL Queries)

I was investigating some AI-related stuff and came across Shebang files. At first, this completely unknown word reminded me of my younger days partying and dancing to “She Bangs” by Ricky Martin. Before opening YouTube and embarrassing myself by trying to dance it again, I thought it might be a better idea to investigate what it actually means (although I still promise a video of me dancing the song someday… perhaps after a few beers).

Shebangs (#!) are native to Unix-like operating systems (macOS and Linux). Standard Windows consoles (Command Prompt and PowerShell) do not natively use them. However, they do work on Windows when using tools such as the Python Launcher, Git Bash, Cygwin, or Unix-like environments such as WSL.

In simple terms, a Shebang tells the operating system which interpreter should execute a script. For example:

#!/usr/bin/python3

means that the script should be executed using Python 3.

For defenders, this becomes interesting because many malicious scripts delivered through phishing campaigns, downloads, or cloud storage can rely on interpreters such as Python, Bash, Perl, Ruby, or NodeJS. Therefore, multiple detections can be implemented based on Shebang.

— Detect Shebang File Types received via Email

The first thing that came to my mind was to hunt for cases where these kinds of files were received via email, and yes, I quickly found a few Python and ECM-related examples.

let ShebangFiles = DeviceFileEvents | extend AF=parse_json(AdditionalFields) | where tostring(AF.FileType) == “Shebang” and  isnotempty(SHA256)
| project FileTimestamp=Timestamp, DeviceId, DeviceName, FileName, FolderPath, SHA256, FileActionType=ActionType, FileInitiatingProcess=InitiatingProcessFileName, FileInitiatingCommandLine=InitiatingProcessCommandLine, FileType=tostring(AF.FileType);
ShebangFiles
| join kind=inner EmailAttachmentInfo on $left.SHA256 == $right.SHA256

— Detect Shebang code inside Device Files

For this one, I would recommend performing some threat hunting first and creating a whitelist for known false positives or trusted devices (for example, devices managed by developers). Once the detection is properly tuned, it can be a good way to monitor the download or import of Shebang files on suspicious directories, making it a strong candidate for a threat detection rule.

DeviceFileEvents 
| extend AF=parse_json(AdditionalFields) | where tostring(AF.FileType) == “Shebang” 
| where FolderPath has_any (“\Downloads\”, “\AppData\Local\Temp\”, “/tmp/”, “/var/tmp/”, “/Users/Shared/”, “/Downloads/”)
 | project Timestamp, DeviceName,DeviceId, ActionType, FileName, FolderPath, SHA256, InitiatingProcessFileName, 
InitiatingProcessCommandLine,ReportId

— Detect Shebang code inside files with unusual extensions

Distinct scripts can not look dangerous based on their extension, but they are still executable files. In environments with macOS, Linux, WSL, Git Bash or Python Launcher, this can help to identify scripts renamed to hide their real purpose.

DeviceFileEvents | extend AF=parse_json(AdditionalFields) | where tostring(AF.FileType) == “Shebang” | where FileName has_any (“.txt”, “.log”, “.dat”, “.tmp”, “.conf”, “.jpg”, “.png”, “.pdf”) | project Timestamp, DeviceName, ActionType, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine

Conclusion

Not the longest article, and perhaps not the most exciting one. However, these are exactly the kind of small pills of knowledge that I enjoy finding while threat hunting.

The funny thing is that this field has probably been sitting there in Defender for quite some time, patiently waiting for me to notice it. Meanwhile, I was busy hunting malware, phishing campaigns, suspicious PowerShell commands, and apparently reminiscing about Ricky Martin songs.

At least now, when somebody mentions Shebang, I will think about Unix interpreters before I think about dancing.

Well… probably.

Identify shebang files via Threat Hunting (+ KQL Queries) was originally published in Detect FYI on Medium, where people are continuing the conversation by highlighting and responding to this story.

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

Article Link: https://detect.fyi/identify-shebang-files-via-threat-hunting-kql-queries-45fa739571ad?source=rss----d5fd8f494f6a---4

1 post - 1 participant

Read full topic

Malware Analysis, News and Indicators - Latest topics