Potential PHP Reverse Shell

calendarApr 25, 2023 · attack.execution  ·
Share on: linkedincopy

Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets. Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection.

Sigma rule (View on GitHub)

 1title: Potential PHP Reverse Shell
 2id: c6714a24-d7d5-4283-a36b-3ffd091d5f7e
 3status: experimental
 4description: |
 5    Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets.
 6    Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection.    
 7references:
 8    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
 9    - https://www.revshells.com/
10author: '@d4ns4n_'
11date: 2023/04/07
12tags:
13    - attack.execution
14logsource:
15    category: process_creation
16    product: linux
17detection:
18    selection:
19        Image|contains: '/php'
20        CommandLine|contains|all:
21            - ' -r '
22            - 'fsockopen'
23        CommandLine|contains:
24            - 'ash'
25            - 'bash'
26            - 'bsh'
27            - 'csh'
28            - 'ksh'
29            - 'pdksh'
30            - 'sh'
31            - 'tcsh'
32            - 'zsh'
33    condition: selection
34falsepositives:
35    - Unknown
36level: high

Related rules

to-top