heroui logo

Potential Ruby Reverse Shell

Sigma Rules

View Source
Summary
This detection rule is designed to identify potentially malicious activity associated with the execution of Ruby scripts that may indicate an attempt to establish a reverse shell. Specifically, it targets scenarios where Ruby is invoked with the `-e` flag, which allows for executing Ruby code directly from the command line. The presence of `socket` related functions, specifically `TCPSocket`, in the command line arguments further suggests an intention to create a network connection back to a potentially compromised system. The rule looks for command lines that contain common shell names in addition to the aforementioned Ruby specifications, which are typical in attack scenarios involving shell execution and process spawning in a Unix-like environment. Given the nature of reverse shells, this detection helps in early identification of unauthorized access attempts. The inclusion of various shell types reflects the diversity in potential execution environments the attacker might utilize to establish connectivity. Thus, the rule is crucial for monitoring Ruby executions that may correlate with this form of attack.
Categories
  • Linux
  • Endpoint
Data Sources
  • Process
Created: 2023-04-07