Potential Reverse Shell via UDP
editPotential Reverse Shell via UDP
editThis detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.
Rule type: eql
Rule indices:
- auditbeat-*
- logs-auditd_manager.auditd-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Execution
Version: 3
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editsample by host.id, process.pid, process.parent.pid [process where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and auditd.data.syscall == "execve" and process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", "ruby", "openssl", "awk", "telnet", "lua*", "socat")] [process where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and auditd.data.syscall == "socket" and process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", "ruby", "openssl", "awk", "telnet", "lua*", "socat") and auditd.data.a0 == "2" and auditd.data.a1 : ("2", "802")] [network where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and auditd.data.syscall == "connect" and process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", "ruby", "openssl", "awk", "telnet", "lua*", "socat") and network.direction == "egress" and destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "127.0.0.53" and destination.ip != "::1"]
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
-
Sub-technique:
- Name: Unix Shell
- ID: T1059.004
- Reference URL: https://attack.mitre.org/techniques/T1059/004/
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Application Layer Protocol
- ID: T1071
- Reference URL: https://attack.mitre.org/techniques/T1071/