Potential Upgrade of Non-interactive Shell
Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more stable connection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/20"
3integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
4maturity = "production"
5min_stack_version = "8.13.0"
6min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
7updated_date = "2025/01/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade a
13simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more
14stable connection.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Upgrade of Non-interactive Shell"
21risk_score = 47
22rule_id = "84d1f8db-207f-45ab-a578-921d91c23eb2"
23setup = """## Setup
24
25This rule requires data coming in from Elastic Defend.
26
27### Elastic Defend Integration Setup
28Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
29
30#### Prerequisite Requirements:
31- Fleet is required for Elastic Defend.
32- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
33
34#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
35- Go to the Kibana home page and click "Add integrations".
36- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
37- Click "Add Elastic Defend".
38- Configure the integration name and optionally add a description.
39- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
40- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
41- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
42- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
43For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
44- Click "Save and Continue".
45- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
46For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
47"""
48severity = "medium"
49tags = [
50 "Domain: Endpoint",
51 "OS: Linux",
52 "Use Case: Threat Detection",
53 "Tactic: Execution",
54 "Data Source: Elastic Endgame",
55 "Data Source: Elastic Defend",
56 "Data Source: Crowdstrike",
57 "Data Source: SentinelOne",
58 "Resources: Investigation Guide",
59]
60timestamp_override = "event.ingested"
61type = "eql"
62
63query = '''
64process where host.os.type == "linux" and event.type == "start" and
65 event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
66 (
67 (process.name == "stty" and process.args == "raw" and process.args == "-echo" and process.args_count >= 3) or
68 (process.name == "script" and process.args in ("-qc", "-c") and process.args == "/dev/null" and
69 process.args_count == 4)
70 )
71'''
72note = """## Triage and analysis
73
74> **Disclaimer**:
75> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
76
77### Investigating Potential Upgrade of Non-interactive Shell
78
79In Linux environments, attackers often seek to enhance a basic reverse shell to a fully interactive shell to gain a more robust foothold. This involves using tools like `stty` or `script` to manipulate terminal settings, enabling features like command history and job control. The detection rule identifies such activities by monitoring specific process executions and arguments, flagging potential misuse indicative of an upgrade attempt.
80
81### Possible investigation steps
82
83- Review the process execution details to confirm the presence of `stty` or `script` commands with the specific arguments outlined in the detection rule, such as `stty raw -echo` or `script -qc /dev/null`.
84- Examine the parent process of the flagged `stty` or `script` command to determine how the shell was initially spawned and identify any potentially malicious scripts or binaries.
85- Check the user account associated with the process execution to assess if it aligns with expected user behavior or if it indicates potential compromise.
86- Investigate the network connections associated with the host at the time of the alert to identify any suspicious remote connections that could be indicative of a reverse shell.
87- Review historical process execution and login records for the user and host to identify any patterns of suspicious activity or previous attempts to establish a reverse shell.
88
89### False positive analysis
90
91- System administrators or legitimate users may use stty or script commands for routine maintenance or troubleshooting, which can trigger the rule. To manage this, create exceptions for known user accounts or specific maintenance windows.
92- Automated scripts or cron jobs that utilize stty or script for legitimate purposes might be flagged. Review these scripts and whitelist them by process hash or command line pattern to prevent false positives.
93- Development environments where developers frequently use stty or script for testing purposes can generate alerts. Consider excluding specific development machines or user groups from the rule to reduce noise.
94- Monitoring tools or security solutions that simulate shell upgrades for testing or auditing purposes may inadvertently trigger the rule. Identify these tools and add them to an exception list based on their process name or execution path.
95
96### Response and remediation
97
98- Immediately isolate the affected host from the network to prevent further unauthorized access or lateral movement by the attacker.
99- Terminate any suspicious processes identified by the detection rule, specifically those involving `stty` or `script` with the flagged arguments, to disrupt the attacker's attempt to upgrade the shell.
100- Conduct a thorough review of the affected system's logs and process history to identify any additional malicious activities or compromised accounts.
101- Reset credentials for any user accounts that were active during the time of the alert to prevent unauthorized access using potentially compromised credentials.
102- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited by the attacker.
103- Enhance monitoring and logging on the affected host and similar systems to detect any future attempts to upgrade non-interactive shells or other suspicious activities.
104- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected."""
105
106
107[[rule.threat]]
108framework = "MITRE ATT&CK"
109[[rule.threat.technique]]
110id = "T1059"
111name = "Command and Scripting Interpreter"
112reference = "https://attack.mitre.org/techniques/T1059/"
113[[rule.threat.technique.subtechnique]]
114id = "T1059.004"
115name = "Unix Shell"
116reference = "https://attack.mitre.org/techniques/T1059/004/"
117
118
119
120[rule.threat.tactic]
121id = "TA0002"
122name = "Execution"
123reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Potential Upgrade of Non-interactive Shell
In Linux environments, attackers often seek to enhance a basic reverse shell to a fully interactive shell to gain a more robust foothold. This involves using tools like stty
or script
to manipulate terminal settings, enabling features like command history and job control. The detection rule identifies such activities by monitoring specific process executions and arguments, flagging potential misuse indicative of an upgrade attempt.
Possible investigation steps
- Review the process execution details to confirm the presence of
stty
orscript
commands with the specific arguments outlined in the detection rule, such asstty raw -echo
orscript -qc /dev/null
. - Examine the parent process of the flagged
stty
orscript
command to determine how the shell was initially spawned and identify any potentially malicious scripts or binaries. - Check the user account associated with the process execution to assess if it aligns with expected user behavior or if it indicates potential compromise.
- Investigate the network connections associated with the host at the time of the alert to identify any suspicious remote connections that could be indicative of a reverse shell.
- Review historical process execution and login records for the user and host to identify any patterns of suspicious activity or previous attempts to establish a reverse shell.
False positive analysis
- System administrators or legitimate users may use stty or script commands for routine maintenance or troubleshooting, which can trigger the rule. To manage this, create exceptions for known user accounts or specific maintenance windows.
- Automated scripts or cron jobs that utilize stty or script for legitimate purposes might be flagged. Review these scripts and whitelist them by process hash or command line pattern to prevent false positives.
- Development environments where developers frequently use stty or script for testing purposes can generate alerts. Consider excluding specific development machines or user groups from the rule to reduce noise.
- Monitoring tools or security solutions that simulate shell upgrades for testing or auditing purposes may inadvertently trigger the rule. Identify these tools and add them to an exception list based on their process name or execution path.
Response and remediation
- Immediately isolate the affected host from the network to prevent further unauthorized access or lateral movement by the attacker.
- Terminate any suspicious processes identified by the detection rule, specifically those involving
stty
orscript
with the flagged arguments, to disrupt the attacker's attempt to upgrade the shell. - Conduct a thorough review of the affected system's logs and process history to identify any additional malicious activities or compromised accounts.
- Reset credentials for any user accounts that were active during the time of the alert to prevent unauthorized access using potentially compromised credentials.
- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited by the attacker.
- Enhance monitoring and logging on the affected host and similar systems to detect any future attempts to upgrade non-interactive shells or other suspicious activities.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected.
Related rules
- Cupsd or Foomatic-rip Shell Execution
- Git Hook Child Process
- Netcat Listener Established via rlwrap
- Potential Hex Payload Execution
- Potential Linux Hack Tool Launched