Potential Reverse Shell via Java
This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming network connection. This behavior may indicate reverse shell activity via a Java application.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/07/04"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/07/25"
8
9[rule]
10author = ["Elastic"]
11description = """
12This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming
13network connection. This behavior may indicate reverse shell activity via a Java application.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential Reverse Shell via Java"
20references = [
21 "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
22]
23risk_score = 47
24rule_id = "5a3d5447-31c9-409a-aed1-72f9921594fd"
25severity = "medium"
26tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
27type = "eql"
28query = '''
29sequence by host.id with maxspan=5s
30[ network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and
31 process.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and
32 destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ] by process.entity_id
33[ process where host.os.type == "linux" and event.action == "exec" and
34 process.parent.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and
35 process.parent.args : "-jar" and process.executable : "*sh" ] by process.parent.entity_id
36'''
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40
41[rule.threat.tactic]
42name = "Execution"
43id = "TA0002"
44reference = "https://attack.mitre.org/tactics/TA0002/"
45
46[[rule.threat.technique]]
47id = "T1059"
48name = "Command and Scripting Interpreter"
49reference = "https://attack.mitre.org/techniques/T1059/"
50
51[[rule.threat.technique.subtechnique]]
52id = "T1059.004"
53name = "Unix Shell"
54reference = "https://attack.mitre.org/techniques/T1059/004/"
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58
59[rule.threat.tactic]
60name = "Command and Control"
61id = "TA0011"
62reference = "https://attack.mitre.org/tactics/TA0011/"
63
64[[rule.threat.technique]]
65name = "Application Layer Protocol"
66id = "T1071"
67reference = "https://attack.mitre.org/techniques/T1071/"
References
-
A list of useful payloads and bypass for Web Application Security and Pentest/CTF - swisskyrepo/PayloadsAllTheThings
Read More
Related rules
- BPF filter applied using TC
- Binary Executed from Shared Memory Directory
- Cron Job Created or Changed by Previously Unknown Process
- EggShell Backdoor Execution
- File Transfer or Listener Established via Netcat