heroui logo

Potential Reverse Shell

Elastic Detection Rules

View Source
Summary
This detection rule, named 'Potential Reverse Shell', identifies suspicious network traffic patterns indicative of TCP reverse shell activity on Linux systems. Such activity involves a relationship where a network event, such as a connection being initiated or accepted, is followed by the spawning of a shell process. Attackers often leverage TCP reverse shells to establish remote access to the target system. The rule utilizes Elastic Query Language (EQL) to track sequences of events, focusing on network connections made by processes associated with common shell executables (e.g., bash, socat) and examines if a subsequent shell process is created with interactive flags. The detection takes into account the creation of network events and ensures that the IP addresses are not part of the local network ranges. Moreover, the rule highlights potential indicators of compromise that stem from such reverse shell setups, alerting security teams to investigate further.
Categories
  • Endpoint
  • Linux
  • Other
Data Sources
  • Network Traffic
  • Process
  • Application Log
  • File
ATT&CK Techniques
  • T1059
  • T1059.004
  • T1071
Created: 2023-07-04