IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
Elastic Docs Elastic Security Solution [8.8] Detections and alerts Prebuilt rule reference
« Potential Remote File Execution via MSIEXEC Potential Reverse Shell Activity via Terminal »

Potential Reverse Shelledit

This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Execution
  • Data Source: Elastic Defend

Version: 6

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule queryedit

sequence by host.id with maxspan=1s
  [network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and
   process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and
   destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1"] by process.entity_id
  [process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and
   process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
   process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and not
   process.args : "*imunify360-agent*"] by process.parent.entity_id

Framework: MITRE ATT&CKTM

« Potential Remote File Execution via MSIEXEC Potential Reverse Shell Activity via Terminal »