New

The executive guide to generative AI

Read more

Potential Reverse Shell via UDP

edit

This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.

Rule type: eql

Rule indices:

  • auditbeat-*
  • logs-auditd_manager.auditd-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Execution

Version: 3

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
sample by host.id, process.pid, process.parent.pid
[process where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and
 auditd.data.syscall == "execve" and process.name : ("bash", "dash", "sh", "tcsh",
 "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", "ruby",
 "openssl", "awk", "telnet", "lua*", "socat")]
[process where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and
 auditd.data.syscall == "socket" and process.name : ("bash", "dash", "sh", "tcsh", "csh",
 "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", "ruby", "openssl",
 "awk", "telnet", "lua*", "socat") and auditd.data.a0 == "2" and auditd.data.a1 : ("2", "802")]
[network where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and
 auditd.data.syscall == "connect" and process.name : ("bash", "dash", "sh", "tcsh", "csh",
 "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", "ruby", "openssl",
 "awk", "telnet", "lua*", "socat") and network.direction == "egress" and destination.ip != null and
 destination.ip != "127.0.0.1" and destination.ip != "127.0.0.53" and destination.ip != "::1"]

Framework: MITRE ATT&CKTM

On this page

Was this helpful?
Feedback