Reverse Shell Created via Named Pipe

Warning

This rule has been deprecated as of 2023/07/04.

Identifies a reverse shell via the abuse of named pipes on Linux with the help of OpenSSL or Netcat. First in, first out (FIFO) files are special files for reading and writing to by Linux processes. For this to work, a named pipe is created and passed to a Linux shell where the use of a network connection tool such as Netcat or OpenSSL has been established. The stdout and stderr are captured in the named pipe from the network connection and passed back to the shell for execution.

Rule type: eql
Rule indices:

auditbeat-*
logs-endpoint.events.*
endgame-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: 100
References:

Tags:

Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame

Version: 6
Rule authors:

Elastic

Rule license: Elastic License v2

Rule Query

		sequence by host.id with maxspan = 5s
    [process where host.os.type == "linux" and event.type == "start" and process.executable : ("/usr/bin/mkfifo","/usr/bin/mknod") and process.args:("/tmp/*","$*")]
    [process where host.os.type == "linux" and process.executable : ("/bin/sh","/bin/bash") and process.args:("-i") or
        (process.executable: ("/usr/bin/openssl") and process.args: ("-connect"))]
    [process where host.os.type == "linux" and (process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") or
                    (process.name: "openssl" and process.executable: "/usr/bin/openssl"))]
		
	

Framework: MITRE ATT&CK

Tactic:
- Name: Execution
- Id: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Command and Scripting Interpreter
- Id: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
Sub Technique:
- Name: Unix Shell
- Id: T1059.004
- Reference URL: https://attack.mitre.org/techniques/T1059/004/