Potential Reverse Shell via UDP

edit

This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.

Rule type: eql

Rule indices:

  • auditbeat-*
  • logs-auditd_manager.auditd-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Execution

Version: 3

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
sample by host.id, process.pid, process.parent.pid
[process where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and
 auditd.data.syscall == "execve" and process.name : ("bash", "dash", "sh", "tcsh",
 "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", "ruby",
 "openssl", "awk", "telnet", "lua*", "socat")]
[process where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and
 auditd.data.syscall == "socket" and process.name : ("bash", "dash", "sh", "tcsh", "csh",
 "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", "ruby", "openssl",
 "awk", "telnet", "lua*", "socat") and auditd.data.a0 == "2" and auditd.data.a1 : ("2", "802")]
[network where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and
 auditd.data.syscall == "connect" and process.name : ("bash", "dash", "sh", "tcsh", "csh",
 "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", "ruby", "openssl",
 "awk", "telnet", "lua*", "socat") and network.direction == "egress" and destination.ip != null and
 destination.ip != "127.0.0.1" and destination.ip != "127.0.0.53" and destination.ip != "::1"]

Framework: MITRE ATT&CKTM