Reverse Shell Created via Named Pipe

edit

Identifies a reverse shell via the abuse of named pipes on Linux with the help of OpenSSL or Netcat. First in, first out (FIFO) files are special files for reading and writing to by Linux processes. For this to work, a named pipe is created and passed to a Linux shell where the use of a network connection tool such as Netcat or OpenSSL has been established. The stdout and stderr are captured in the named pipe from the network connection and passed back to the shell for execution.

Rule type: eql

Rule indices:

  • auditbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Linux
  • Threat Detection
  • Execution
  • Investigation Guide

Version: 1

Added (Elastic Stack release): 8.6.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Netcat and OpenSSL are common tools used for establishing network connections and creating encryption keys. While they are popular, capturing the stdout and stderr in a named pipe pointed to a shell is anomalous.

Rule query

edit
sequence by host.id with maxspan = 5s [process where event.type ==
"start" and process.executable : ("/usr/bin/mkfifo","/usr/bin/mknod")
and process.args:("/tmp/*","$*")] [process where
process.executable : ("/bin/sh","/bin/bash") and process.args:("-i")
or (process.executable: ("/usr/bin/openssl") and process.args:
("-connect"))] [process where (process.name:("nc","ncat","netcat",
"netcat.openbsd","netcat.traditional") or
(process.name: "openssl" and process.executable: "/usr/bin/openssl"))]

Threat mapping

edit

Framework: MITRE ATT&CKTM