From 4b8f70fb97e497660da32f25d122cd51ec637cc2 Mon Sep 17 00:00:00 2001
From: dan21san <98960305+dan21san@users.noreply.github.com>
Date: Tue, 25 Apr 2023 11:03:11 +0200
Subject: [PATCH] feat: add new rules related to linux reverse shells (#4166)

---
 ...oc_creation_lnx_bash_interactive_shell.yml | 23 ++++++++
 ...proc_creation_lnx_netcat_reverse_shell.yml | 59 +++++++++++++++++++
 .../proc_creation_lnx_perl_reverse_shell.yml  | 31 ++++++++++
 .../proc_creation_lnx_php_reverse_shell.yml   | 36 +++++++++++
 .../proc_creation_lnx_python_pty_spawn.yml    | 13 ++--
 ...proc_creation_lnx_python_reverse_shell.yml | 30 ++++++++++
 .../proc_creation_lnx_ruby_reverse_shell.yml  | 34 +++++++++++
 .../proc_creation_lnx_xterm_reverse_shell.yml | 24 ++++++++
 8 files changed, 245 insertions(+), 5 deletions(-)
 create mode 100644 rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml
 create mode 100644 rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml
 create mode 100644 rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml
 create mode 100644 rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml
 create mode 100644 rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml
 create mode 100644 rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml
 create mode 100644 rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml

diff --git a/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml b/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml
new file mode 100644
index 000000000..f91f893d6
--- /dev/null
+++ b/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml
@@ -0,0 +1,23 @@
+title: Bash Interactive Shell
+id: 6104e693-a7d6-4891-86cb-49a258523559
+status: experimental
+description: Detects execution of the bash shell with the interactive flag "-i".
+references:
+    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
+    - https://www.revshells.com/
+    - https://linux.die.net/man/1/bash
+author: '@d4ns4n_'
+date: 2023/04/07
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        Image|endswith: '/bash'
+        CommandLine|contains: ' -i '
+    condition: selection
+falsepositives:
+    - Unknown
+level: low
diff --git a/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml
new file mode 100644
index 000000000..a8949f5d4
--- /dev/null
+++ b/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml
@@ -0,0 +1,59 @@
+title: Potential Netcat Reverse Shell Execution
+id: 7f734ed0-4f47-46c0-837f-6ee62505abd9
+status: experimental
+description: Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
+references:
+    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
+    - https://www.revshells.com/
+    - https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/
+    - https://www.infosecademy.com/netcat-reverse-shells/
+    - https://man7.org/linux/man-pages/man1/ncat.1.html
+author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
+date: 2023/04/07
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_nc:
+        Image|endswith:
+           - '/nc'
+           - '/ncat'
+    selection_flags:
+        CommandLine|contains:
+            - ' -c '
+            - ' -e '
+    selection_shell:
+        CommandLine|contains:
+            - ' ash'
+            - ' bash'
+            - ' bsh'
+            - ' csh'
+            - ' ksh'
+            - ' pdksh'
+            - ' sh'
+            - ' tcsh'
+            - '/bin/ash'
+            - '/bin/bash'
+            - '/bin/bsh'
+            - '/bin/csh'
+            - '/bin/ksh'
+            - '/bin/pdksh'
+            - '/bin/sh'
+            - '/bin/tcsh'
+            - '/bin/zsh'
+            - '$IFSash'
+            - '$IFSbash'
+            - '$IFSbsh'
+            - '$IFScsh'
+            - '$IFSksh'
+            - '$IFSpdksh'
+            - '$IFSsh'
+            - '$IFStcsh'
+            - '$IFSzsh'
+    condition: all of selection_*
+falsepositives:
+    - Unlikely
+level: high
diff --git a/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml
new file mode 100644
index 000000000..60cb2bfeb
--- /dev/null
+++ b/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml
@@ -0,0 +1,31 @@
+title: Potential Perl Reverse Shell Execution
+id: 259df6bc-003f-4306-9f54-4ff1a08fa38e
+status: experimental
+description: Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity
+references:
+    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
+    - https://www.revshells.com/
+author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
+date: 2023/04/07
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith: '/perl'
+        CommandLine|contains: ' -e '
+    selection_content:
+        - CommandLine|contains|all:
+            - 'fdopen('
+            - '::Socket::INET'
+        - CommandLine|contains|all:
+            - 'Socket'
+            - 'connect'
+            - 'open'
+            - 'exec'
+    condition: all of selection_*
+falsepositives:
+    - Unlikely
+level: high
diff --git a/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml
new file mode 100644
index 000000000..37c588ba6
--- /dev/null
+++ b/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml
@@ -0,0 +1,36 @@
+title: Potential PHP Reverse Shell
+id: c6714a24-d7d5-4283-a36b-3ffd091d5f7e
+status: experimental
+description: |
+    Detects usage of the PHP CLI with the "-r" flag which allows it to run inline PHP code. The rule looks for calls to the "fsockopen" function which allows the creation of sockets.
+    Attackers often leverage this in combination with functions such as "exec" or "fopen" to initiate a reverse shell connection.
+references:
+    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
+    - https://www.revshells.com/
+author: '@d4ns4n_'
+date: 2023/04/07
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        Image|contains: '/php'
+        CommandLine|contains|all:
+            - ' -r '
+            - 'fsockopen'
+        CommandLine|contains:
+            - 'ash'
+            - 'bash'
+            - 'bsh'
+            - 'csh'
+            - 'ksh'
+            - 'pdksh'
+            - 'sh'
+            - 'tcsh'
+            - 'zsh'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml
index f8bb8e7f8..f7eb84dc4 100644
--- a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml
@@ -1,7 +1,10 @@
 title: Python Spawning Pretty TTY
 id: c4042d54-110d-45dd-a0e1-05c47822c937
+related:
+    - id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
+      type: similar
 status: experimental
-description: Detects python spawning a pretty tty
+description: Detects python spawning a pretty tty which could be indicative of potential reverse shell activity
 references:
     - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/
 author: Nextron Systems
@@ -13,17 +16,17 @@ logsource:
     category: process_creation
     product: linux
 detection:
-    selection_image:
+    selection_img:
         Image|contains:
             - '/python2.'  # python image is always of the form ../python3.10; ../python is just a symlink
             - '/python3.'
-    selection_cli1:
+    selection_cli_1:
         CommandLine|contains|all:
             - 'import pty'
             - '.spawn('
-    selection_cli2:
+    selection_cli_2:
         CommandLine|contains: 'from pty import spawn'
-    condition: selection_image and 1 of selection_cli*
+    condition: selection_img and 1 of selection_cli_*
 falsepositives:
     - Unknown
 level: high
diff --git a/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml
new file mode 100644
index 000000000..32e41d206
--- /dev/null
+++ b/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml
@@ -0,0 +1,30 @@
+title: Potential Python Reverse Shell
+id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
+related:
+    - id: c4042d54-110d-45dd-a0e1-05c47822c937
+      type: similar
+status: experimental
+description: Detects executing python with keywords related to network activity that could indicate a potential reverse shell
+references:
+    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
+    - https://www.revshells.com/
+author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
+date: 2023/04/24
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        Image|contains: 'python'
+        CommandLine|contains|all:
+            - ' -c '
+            - 'import'
+            - 'pty'
+            - 'spawn('
+            - '.connect'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml
new file mode 100644
index 000000000..2aad0ebf3
--- /dev/null
+++ b/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml
@@ -0,0 +1,34 @@
+title: Potential Ruby Reverse Shell
+id: b8bdac18-c06e-4016-ac30-221553e74f59
+status: experimental
+description: Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell
+references:
+    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
+    - https://www.revshells.com/
+author: '@d4ns4n_'
+date: 2023/04/07
+tags:
+    - attack.execution
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        Image|contains: 'ruby'
+        CommandLine|contains|all:
+            - ' -e'
+            - 'rsocket'
+            - 'TCPSocket'
+        CommandLine|contains:
+            - ' ash'
+            - ' bash'
+            - ' bsh'
+            - ' csh'
+            - ' ksh'
+            - ' pdksh'
+            - ' sh'
+            - ' tcsh'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
diff --git a/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml b/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml
new file mode 100644
index 000000000..6c3ece2e1
--- /dev/null
+++ b/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml
@@ -0,0 +1,24 @@
+title: Potential Xterm Reverse Shell
+id: 4e25af4b-246d-44ea-8563-e42aacab006b
+status: experimental
+description: Detects usage of "xterm" as a potential reverse shell tunnel
+references:
+    - https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
+    - https://www.revshells.com/
+author: '@d4ns4n_'
+date: 2023/04/24
+tags:
+    - attack.execution
+    - attack.t1059
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        Image|contains: 'xterm'
+        CommandLine|contains: '-display'
+        CommandLine|endswith: ':1'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium