IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Appendix _: Downloadable rule update v8.9.12 Potential Data Exfiltration Activity to an Unusual ISO Code »
Elastic Docs Elastic Security Solution [8.9] Downloadable rule update v8.9.12

Potential Reverse Shell via Child

edit

Potential Reverse Shell via Child

edit

This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a network event that is followed by the creation of a shell process with suspicious command line arguments. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Execution
  • Data Source: Elastic Defend

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
sequence by host.id, process.entity_id with maxspan=5s
  [network where event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and
   process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and destination.ip != null and
   not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")]
  [process where event.type == "start" and event.action == "exec" and
   process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and (
     (process.args : ("-i", "-l")) or (process.parent.name == "socat" and process.parent.args : "*exec*")
   )]

Framework: MITRE ATT&CKTM

« Appendix _: Downloadable rule update v8.9.12 Potential Data Exfiltration Activity to an Unusual ISO Code »