Adversaries may be using shell scripts to decode and exfiltrate malicious payloads via temporary directories, indicating potential adware activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage adware campaigns before they establish persistence or execute malicious code.
KQL Query
// Find SurfBuyer command to decode a file and save it into a /tmp folder using a certain file name
DeviceProcessEvents
// Check for activity over the past 7 days
| where Timestamp > ago(7d)
| where ProcessCommandLine has "base64" and ProcessCommandLine has "/tmp/e_"
id: 1f60df62-6551-48f6-8e65-64f61ff43def
name: locate-surfbuyer-downloader-decoding-activity
description: |
This query was originally published in the threat analytics report, OSX/SurfBuyer adware campaign.
It will return results if a shell script has furtively attempted to decode and save a file to a /tmp folder.
If discovered on your system, this kind of activity might be associated with SurfBuyer, which is adware that installs a browser extension to take control of several major web browsers, including Safari, Google Chrome, and Firefox.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
query: |
// Find SurfBuyer command to decode a file and save it into a /tmp folder using a certain file name
DeviceProcessEvents
// Check for activity over the past 7 days
| where Timestamp > ago(7d)
| where ProcessCommandLine has "base64" and ProcessCommandLine has "/tmp/e_"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: System update or package installation
Description: A legitimate package manager or system update tool may temporarily write to /tmp during installation or configuration.
Filter/Exclusion: Check for known package management tools (e.g., apt, yum, brew, dnf) in the command line or process tree. Exclude processes related to package installation or system updates.
Scenario: Scheduled backup or log rotation job
Description: A scheduled job (e.g., via cron or systemd) may temporarily decode or process files in /tmp as part of a backup or log rotation task.
Filter/Exclusion: Filter for known backup tools (e.g., rsync, tar, logrotate) or check for cron/systemd job identifiers in the process context.
Scenario: Temporary file creation by a legitimate application
Description: A legitimate application (e.g., ffmpeg, unzip, or tar) may create temporary files in /tmp during processing.
Filter/Exclusion: Exclude processes associated with known utilities that handle file decoding or compression (e.g., ffmpeg, unzip, gzip, tar).
Scenario: Admin task involving script execution
Description: An administrator may run a script (e.g., bash, sh, or python) that temporarily decodes or processes files in /tmp as part of a maintenance task.
Filter/Exclusion: Filter for user accounts with administrative privileges (e.g., root, admin) and check for known administrative scripts or tools (e.g., ansible, puppet, chef).
Scenario: Debugging or profiling activity
Description: A developer or sysadmin may use tools like strace, ltrace, or