Potential Reverse Shell via Suspicious Parent Process
This detection rule detects the creation of a shell through a suspicious parent child relationship. Any reverse shells spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/07/04"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/08/10"
8
9[rule]
10author = ["Elastic"]
11description = """
12This detection rule detects the creation of a shell through a suspicious parent child relationship. Any reverse shells
13spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured
14through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Reverse Shell via Suspicious Parent Process"
21references = [
22 "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
23]
24risk_score = 47
25rule_id = "4b1a807a-4e7b-414e-8cea-24bf580f6fc5"
26severity = "medium"
27tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
28type = "eql"
29query = '''
30sequence by host.id, process.parent.entity_id with maxspan=1s
31[ process where host.os.type == "linux" and event.type == "start" and event.action == "fork" and (
32 (process.name : "python*" and process.args : "-c") or
33 (process.name : "php*" and process.args : "-r") or
34 (process.name : "perl" and process.args : "-e") or
35 (process.name : "ruby" and process.args : ("-e", "-rsocket")) or
36 (process.name : "lua*" and process.args : "-e") or
37 (process.name : "openssl" and process.args : "-connect") or
38 (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3) or
39 (process.name : "telnet" and process.args_count >= 3) or
40 (process.name : "awk")) and
41 process.parent.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ]
42[ network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and
43 process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") and
44 destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ]
45'''
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49
50[rule.threat.tactic]
51name = "Execution"
52id = "TA0002"
53reference = "https://attack.mitre.org/tactics/TA0002/"
54
55[[rule.threat.technique]]
56id = "T1059"
57name = "Command and Scripting Interpreter"
58reference = "https://attack.mitre.org/techniques/T1059/"
59
60[[rule.threat.technique.subtechnique]]
61id = "T1059.004"
62name = "Unix Shell"
63reference = "https://attack.mitre.org/techniques/T1059/004/"
64
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67
68[rule.threat.tactic]
69name = "Command and Control"
70id = "TA0011"
71reference = "https://attack.mitre.org/tactics/TA0011/"
72
73[[rule.threat.technique]]
74name = "Application Layer Protocol"
75id = "T1071"
76reference = "https://attack.mitre.org/techniques/T1071/"
References
-
A list of useful payloads and bypass for Web Application Security and Pentest/CTF - swisskyrepo/PayloadsAllTheThings
Read More
Related rules
- BPF filter applied using TC
- Binary Executed from Shared Memory Directory
- Cron Job Created or Changed by Previously Unknown Process
- EggShell Backdoor Execution
- File Transfer or Listener Established via Netcat