Potential Xterm Reverse Shell
Detects usage of "xterm" as a potential reverse shell tunnel
Sigma rule (View on GitHub)
1title: Potential Xterm Reverse Shell
2id: 4e25af4b-246d-44ea-8563-e42aacab006b
3status: test
4description: Detects usage of "xterm" as a potential reverse shell tunnel
5references:
6 - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
7 - https://www.revshells.com/
8author: '@d4ns4n_'
9date: 2023/04/24
10tags:
11 - attack.execution
12 - attack.t1059
13logsource:
14 category: process_creation
15 product: linux
16detection:
17 selection:
18 Image|contains: 'xterm'
19 CommandLine|contains: '-display'
20 CommandLine|endswith: ':1'
21 condition: selection
22falsepositives:
23 - Unknown
24level: medium
References
-
If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell. If it’s not possible to add a new accou...
Read More -
Online Reverse Shell generator with Local Storage functionality, URI & Base64 Encoding, MSFVenom Generator, and Raw Mode. Great for CTFs.
Read More
Related rules
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- HackTool - Stracciatella Execution
- Install New Package Via Winget Local Manifest
- PowerShell Download and Execution Cradles