High Severity

Attachment: Base64 encoded bash command in filename

Labels

Malware/Ransomware

Encryption

Description

This rule detects a fileless attack technique where a malicious payload is encoded directly into a filename. This technique is used by threats like VShell. The rule is designed to find these malicious filenames both in direct attachments and within archived files (like .zip, .rar, etc.).

References

https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/

@vector_sec

Created Aug 30th, 2025 • Last updated Sep 5th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(attachments) > 0
and any(attachments,
        (
          .file_type in $file_extensions_common_archives
          or strings.contains(.file_name, "{")
        )
        and any(file.expand_archives(.).files,
                strings.contains(.file_name, "{")
                and (
                  strings.icontains(.file_name, 'echo,')
                  or strings.icontains(.file_name, 'base64')
                  or regex.icontains(.file_name, '\bbash\b')
                  or any(beta.scan_base64(.file_name, ignore_padding=true),
                         length(.) >= 10
                  )
                )
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.