Potential Reverse Shell via UDP | Elastic Security Solution [8.8]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

« Potential Reverse Shell via Suspicious Child Process Potential SSH-IT SSH Worm Downloaded »

Potential Reverse Shell via UDPedit

This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.

Rule type: eql

Rule indices:

auditbeat-*
logs-auditd_manager.auditd-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

Tags:

Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Execution

Version: 3

Rule authors:

Elastic

Rule license: Elastic License v2

Rule queryedit

sample by host.id, process.pid, process.parent.pid
[process where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and
 auditd.data.syscall == "execve" and process.name : ("bash", "dash", "sh", "tcsh",
 "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", "ruby",
 "openssl", "awk", "telnet", "lua*", "socat")]
[process where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and
 auditd.data.syscall == "socket" and process.name : ("bash", "dash", "sh", "tcsh", "csh",
 "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", "ruby", "openssl",
 "awk", "telnet", "lua*", "socat") and auditd.data.a0 == "2" and auditd.data.a1 : ("2", "802")]
[network where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and
 auditd.data.syscall == "connect" and process.name : ("bash", "dash", "sh", "tcsh", "csh",
 "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", "ruby", "openssl",
 "awk", "telnet", "lua*", "socat") and network.direction == "egress" and destination.ip != null and
 destination.ip != "127.0.0.1" and destination.ip != "127.0.0.53" and destination.ip != "::1"]

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
Sub-technique:
- Name: Unix Shell
- ID: T1059.004
- Reference URL: https://attack.mitre.org/techniques/T1059/004/
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Application Layer Protocol
- ID: T1071
- Reference URL: https://attack.mitre.org/techniques/T1071/

« Potential Reverse Shell via Suspicious Child Process Potential SSH-IT SSH Worm Downloaded »