New

The executive guide to generative AI

Read more

Potential Reverse Shell via Suspicious Child Process

edit

Potential Reverse Shell via Suspicious Child Process

edit

This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Execution
  • Data Source: Elastic Defend

Version: 4

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
sequence by host.id, process.entity_id with maxspan=1s
[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
  (process.name : "python*" and process.args : "-c") or
  (process.name : "php*" and process.args : "-r") or
  (process.name : "perl" and process.args : "-e") or
  (process.name : "ruby" and process.args : ("-e", "-rsocket")) or
  (process.name : "lua*" and process.args : "-e") or
  (process.name : "openssl" and process.args : "-connect") or
  (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3) or
  (process.name : "telnet" and process.args_count >= 3) or
  (process.name : "awk")) and
  process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ]
[ network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and
  process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") and
  destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ]

Framework: MITRE ATT&CKTM

On this page

Was this helpful?
Feedback