hunting/linux/docs/persistence_reverse_bind_shells.md

# Persistence Through Reverse/Bind Shells

---

## Metadata

- **Author:** Elastic
- **Description:** This hunt provides several OSQuery queries that can aid in the detection of reverse/bind shells. Reverse shells are a type of shell in which the target machine communicates back to the attacking machine. Bind shells are a type of shell in which the target machine opens a communication port on the victim machine and waits for an attacker to connect to it. These shells can be used by attackers to gain remote access to a system.

- **UUID:** `7422faf1-ba51-49c3-b8ba-13759e6bcec4`
- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
- **Language:** `[SQL]`

## Query

```sql
SELECT (
  CASE family 
  WHEN 2 THEN 'IP4' 
  WHEN 10 THEN 'IP6' 
  ELSE family END
) AS family, (
  CASE protocol 
  WHEN 6 THEN 'TCP' 
  WHEN 17 THEN 'UDP' 
  ELSE protocol END
) AS protocol, local_address, local_port, 
  remote_address, remote_port 
FROM process_open_sockets 
WHERE family IN (2, 10) 
AND protocol IN (6, 17) 
```

```sql
SELECT cmdline, name, path, pid, state, threads, total_size 
FROM processes 
WHERE cmdline != ''
```

```sql
SELECT pid, address, port, socket, protocol, path FROM listening_ports
```

## Notes

- The hunt provides OSQuery queries to detect reverse/bind shells on Linux systems.
- The first hunt query retrieves information about open sockets on the system.
- The second hunt query retrieves information about running processes on the system.
- The third hunt query retrieves information about listening ports on the system.
- Investigate strange or unexpected open sockets, processes, or listening ports on the system.
- Use the information from each hunt to pivot and investigate further for potential reverse/bind shells.
## MITRE ATT&CK Techniques

- [T1059.004](https://attack.mitre.org/techniques/T1059/004)

## License

- `Elastic License v2`
[New Hunt] Add Initial Linux Hunting Files (#3847 ) 2024-07-05 14:01:12 -04:00			`# Persistence Through Reverse/Bind Shells`

			`---`

			`## Metadata`

			`- Author: Elastic`
			`- Description: This hunt provides several OSQuery queries that can aid in the detection of reverse/bind shells. Reverse shells are a type of shell in which the target machine communicates back to the attacking machine. Bind shells are a type of shell in which the target machine opens a communication port on the victim machine and waits for an attacker to connect to it. These shells can be used by attackers to gain remote access to a system.`

			- UUID: `7422faf1-ba51-49c3-b8ba-13759e6bcec4`
			`- Integration: [endpoint](https://docs.elastic.co/integrations/endpoint)`
			- Language: `[SQL]`

			`## Query`

			```sql
			`SELECT (`
			`CASE family`
			`WHEN 2 THEN 'IP4'`
			`WHEN 10 THEN 'IP6'`
			`ELSE family END`
			`) AS family, (`
			`CASE protocol`
			`WHEN 6 THEN 'TCP'`
			`WHEN 17 THEN 'UDP'`
			`ELSE protocol END`
			`) AS protocol, local_address, local_port,`
			`remote_address, remote_port`
			`FROM process_open_sockets`
			`WHERE family IN (2, 10)`
			`AND protocol IN (6, 17)`
			```

			```sql
			`SELECT cmdline, name, path, pid, state, threads, total_size`
			`FROM processes`
			`WHERE cmdline != ''`
			```

			```sql
			`SELECT pid, address, port, socket, protocol, path FROM listening_ports`
			```

			`## Notes`

			`- The hunt provides OSQuery queries to detect reverse/bind shells on Linux systems.`
			`- The first hunt query retrieves information about open sockets on the system.`
			`- The second hunt query retrieves information about running processes on the system.`
			`- The third hunt query retrieves information about listening ports on the system.`
			`- Investigate strange or unexpected open sockets, processes, or listening ports on the system.`
			`- Use the information from each hunt to pivot and investigate further for potential reverse/bind shells.`
			`## MITRE ATT&CK Techniques`

			`- [T1059.004](https://attack.mitre.org/techniques/T1059/004)`

			`## License`

			- `Elastic License v2`