security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add new rules related to linux reverse shells (#4166)

Browse Source
This commit is contained in:
dan21san
2023-04-25 11:03:11 +02:00
committed by GitHub
parent 91bc015216
commit 4b8f70fb97
8 changed files with 245 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml
+23
View File
@@ -0,0 +1,23 @@
title: Bash Interactive Shell
id: 6104e693-a7d6-4891-86cb-49a258523559
status: experimental
description: Detects execution of the bash shell with the interactive flag "-i".
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
- https://linux.die.net/man/1/bash
author: '@d4ns4n_'
date: 2023/04/07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/bash'
CommandLine|contains: ' -i '
condition: selection
falsepositives:
- Unknown
level: low
rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml
+59
View File
@@ -0,0 +1,59 @@
title: Potential Netcat Reverse Shell Execution
id: 7f734ed0-4f47-46c0-837f-6ee62505abd9
status: experimental
description: Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
- https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/
- https://www.infosecademy.com/netcat-reverse-shells/
- https://man7.org/linux/man-pages/man1/ncat.1.html
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
date: 2023/04/07
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection_nc:
Image|endswith:
- '/nc'
- '/ncat'
selection_flags:
CommandLine|contains:
- ' -c '
- ' -e '
selection_shell:
CommandLine|contains:
- ' ash'
- ' bash'
- ' bsh'
- ' csh'
- ' ksh'
- ' pdksh'
- ' sh'
- ' tcsh'
- '/bin/ash'
- '/bin/bash'
- '/bin/bsh'
- '/bin/csh'
- '/bin/ksh'
- '/bin/pdksh'
- '/bin/sh'
- '/bin/tcsh'
- '/bin/zsh'
- '$IFSash'
- '$IFSbash'
- '$IFSbsh'
- '$IFScsh'
- '$IFSksh'
- '$IFSpdksh'
- '$IFSsh'
- '$IFStcsh'
- '$IFSzsh'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml
+31
View File
@@ -0,0 +1,31 @@
title: Potential Perl Reverse Shell Execution
id: 259df6bc-003f-4306-9f54-4ff1a08fa38e
status: experimental
description: Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
date: 2023/04/07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/perl'
CommandLine|contains: ' -e '
selection_content:
- CommandLine|contains|all:
- 'fdopen('
- '::Socket::INET'
- CommandLine|contains|all:
- 'Socket'
- 'connect'
- 'open'
- 'exec'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml
+36
View File
@@ -0,0 +1,36 @@
title: Potential PHP Reverse Shell
id: c6714a24-d7d5-4283-a36b-3ffd091d5f7e
status: experimental
description: |
Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets.
Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_'
date: 2023/04/07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: '/php'
CommandLine|contains|all:
- ' -r '
- 'fsockopen'
CommandLine|contains:
- 'ash'
- 'bash'
- 'bsh'
- 'csh'
- 'ksh'
- 'pdksh'
- 'sh'
- 'tcsh'
- 'zsh'
condition: selection
falsepositives:
- Unknown
level: high
rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml
+8 -5
View File
@@ -1,7 +1,10 @@
title: Python Spawning Pretty TTY
id: c4042d54-110d-45dd-a0e1-05c47822c937
related:
- id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
type: similar
status: experimental
description: Detects python spawning a pretty tty
description: Detects python spawning a pretty tty which could be indicative of potential reverse shell activity
references:
- https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
author: Nextron Systems
@@ -13,17 +16,17 @@ logsource:
category: process_creation
product: linux
detection:
selection_image:
selection_img:
Image|contains:
- '/python2.' # python image is always of the form ../python3.10; ../python is just a symlink
- '/python3.'
selection_cli1:
selection_cli_1:
CommandLine|contains|all:
- 'import pty'
- '.spawn('
selection_cli2:
selection_cli_2:
CommandLine|contains: 'from pty import spawn'
condition: selection_image and 1 of selection_cli*
condition: selection_img and 1 of selection_cli_*
falsepositives:
- Unknown
level: high
rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml
+30
View File
@@ -0,0 +1,30 @@
title: Potential Python Reverse Shell
id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
related:
- id: c4042d54-110d-45dd-a0e1-05c47822c937
type: similar
status: experimental
description: Detects executing python with keywords related to network activity that could indicate a potential reverse shell
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
date: 2023/04/24
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: 'python'
CommandLine|contains|all:
- ' -c '
- 'import'
- 'pty'
- 'spawn('
- '.connect'
condition: selection
falsepositives:
- Unknown
level: high
rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml
+34
View File
@@ -0,0 +1,34 @@
title: Potential Ruby Reverse Shell
id: b8bdac18-c06e-4016-ac30-221553e74f59
status: experimental
description: Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_'
date: 2023/04/07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: 'ruby'
CommandLine|contains|all:
- ' -e'
- 'rsocket'
- 'TCPSocket'
CommandLine|contains:
- ' ash'
- ' bash'
- ' bsh'
- ' csh'
- ' ksh'
- ' pdksh'
- ' sh'
- ' tcsh'
condition: selection
falsepositives:
- Unknown
level: medium
rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml
+24
View File
@@ -0,0 +1,24 @@
title: Potential Xterm Reverse Shell
id: 4e25af4b-246d-44ea-8563-e42aacab006b
status: experimental
description: Detects usage of "xterm" as a potential reverse shell tunnel
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_'
date: 2023/04/24
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: 'xterm'
CommandLine|contains: '-display'
CommandLine|endswith: ':1'
condition: selection
falsepositives:
- Unknown
level: medium