Potential Reverse Shell

edit

This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Execution
  • Data Source: Elastic Defend

Version: 5

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
sequence by host.id with maxspan=1s
  [network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and
   process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and
   destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1"] by process.entity_id
  [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and
   process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
   process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and not
   process.args : "*imunify360-agent*"] by process.parent.entity_id

Framework: MITRE ATT&CKTM