heroui logo

Potential Xterm Reverse Shell

Sigma Rules

View Source
Summary
This detection rule aims to identify potential reverse shell activity utilizing 'xterm', a terminal emulator for the X Window System prevalent on Linux. A reverse shell is a type of shell where the target machine opens a port to accept incoming connections from a remote attacker. In this specific detection, the rule monitors for processes executing 'xterm' with specific command-line arguments. The presence of 'xterm' in the process image, combined with the command-line options that include '-display' and end with ':1', signifies an attempt to establish a reverse shell connection. This is critical for security teams as it indicates unauthorized access attempts via a shell that could allow an attacker to gain control over the host system. The reporting of this activity underlines a vital aspect of incident detection and response.
Categories
  • Linux
Data Sources
  • Process
Created: 2023-04-24