Suspicious Use of /dev/tcp
Detects suspicious command with /dev/tcp
Sigma rule (View on GitHub)
1title: Suspicious Use of /dev/tcp
2id: 6cc5fceb-9a71-4c23-aeeb-963abe0b279c
3status: test
4description: Detects suspicious command with /dev/tcp
5references:
6 - https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/
7 - https://book.hacktricks.xyz/shells/shells/linux
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan
9author: frack113
10date: 2021-12-10
11modified: 2023-01-06
12tags:
13 - attack.reconnaissance
14logsource:
15 product: linux
16detection:
17 keywords:
18 - 'cat </dev/tcp/'
19 - 'exec 3<>/dev/tcp/'
20 - 'echo >/dev/tcp/'
21 - 'bash -i >& /dev/tcp/'
22 - 'sh -i >& /dev/udp/'
23 - '0<&196;exec 196<>/dev/tcp/'
24 - 'exec 5<>/dev/tcp/'
25 - '(sh)0>/dev/tcp/'
26 - 'bash -c ''bash -i >& /dev/tcp/'
27 - 'echo -e ''#!/bin/bash\nbash -i >& /dev/tcp/'
28 condition: keywords
29falsepositives:
30 - Unknown
31level: medium
References
-
Just some simple tips that I found very useful. Bash supports read/write operations on a pseudo-device file /dev/tcp/[host]/[port] [1]. Writing to this special file makes bash open a tcp connection to host:port, and this feature may be used for some useful purposes, for example: </p> Query an NTP server this command: cat </dev/tcp/time.nist.gov/13 reads the time in Daytime Protocol from the NIST Internet Time Service server. </p> Fetch a web page this script exec 3<>/dev/tcp/www.google.com/80 echo -e "GET / HTTP/1.1\r\nhost: http://www.google.com\r\nConnection: close\r\n\r\n" >&3 cat <&3 fetches the front page from Google.com. </p> Perform a port scan In case you are not enabled to install any software on your linux box, using the same special file, you can check if a tcp port is open: if writing to the port succeeds, the port is open, else the port is closed. So, you can perform a basic port scan, for example of an entire subnet, using a simple script like for ip in {1..254}; do for port in {22,80,443,3306,3389}; do (echo >/dev/tcp/192.168.1.|$ip/$port) >& /dev/null && echo "192.168.1.$ip:$port is open"; done; done You can customize the script changing the involved subnet. </p> Download a file wget () { IFS=/ read proto z host query <<< "$1" exec 3< /dev/tcp/$host/80 { echo GET /$query HTTP/1.1 echo connection: close echo host: $host echo } >&3 sed '1,/^$/d' <&3 > $(basename $1) }
Read More -
😎Hardware/Physical Access Physical AttacksEscaping from KIOSKsFirmware AnalysisBootloader testingFirmware Integrity
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- Azure AD Account Credential Leaked
- Bitbucket User Details Export Attempt Detected
- Bitbucket User Permissions Export Attempt