Shebang Missing Exclamation Point In Several Scripts

[djstachniak]

Hi - the exclamation point in the shebang at the beginning of several scripts in /home/eval/bin is missing. I.e. - it's got:

#/bin/sh

instead of:

#!/bin/sh

For example:

[root@042de7ce500f bin]# pwd
/home/eval/bin
[root@042de7ce500f bin]# head -n 1 *sh
==> Collection_via_Automated_Collection.sh <==
#!/bin/sh

==> Command_Control_via_Remote_Access-obfuscated.sh <==
#/bin/sh

==> Command_Control_via_Remote_Access.sh <==
#/bin/sh

==> ContainerDrift_Via_File_Creation_and_Execution.sh <==
#!/bin/sh

==> Credential_Access_via_Credential_Dumping.sh <==
#/bin/sh

==> Defense_Evasion_via_Masquerading.sh <==
#/bin/sh

==> Defense_Evasion_via_Rootkit.sh <==
#/bin/sh

==> Execution_via_Command-Line_Interface.sh <==
#/bin/sh

==> Exfiltration_via_Exfiltration_Over_Alternative_Protocol.sh <==
#! /bin/bash

==> Persistence_via_External_Remote_Services.sh <==
#/bin/sh

==> Reverse_Shell_Trojan.sh <==
#/bin/sh

==> Webserver_Bash_Reverse_Shell.sh <==
#/bin/sh

==> Webserver_Suspicious_Terminal_Spawn.sh <==
#/bin/sh

==> Webserver_Unexpected_Child_of_Web_Service.sh <==
#/bin/sh

Could you please update them so they'll run correctly? Thanks!

[djstachniak]

bin/metasploit/Webserver_Trigger_Metasploit_Payload.sh is missing it as well

[djstachniak]

Looking into this a little further I assumed that was the problem (why certain scripts don't seem to be running and triggering detections) but testing a little further I'm not sure now. Trying to reverse engineer all of this to figure out what's going on. TBD

[shawndwells]

@djstachniak which scripts aren't causing detections?