[metadata] creation_date = "2020/01/07" maturity = "production" updated_date = "2022/07/06" [rule] author = ["Elastic"] description = "Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity." from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell Activity via Terminal" note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ references = [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", "https://github.com/WangYihang/Reverse-Shell-Manager", "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/", ] risk_score = 73 rule_id = "a1a0375f-22c2-48c0-81a4-7c2d11cc6856" severity = "high" tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution"] timestamp_override = "event.ingested" type = "eql" query = ''' process where event.type in ("start", "process_started") and process.name in ("sh", "bash", "zsh", "dash", "zmodload") and process.args : ("*/dev/tcp/*", "*/dev/udp/*", "*zsh/net/tcp*", "*zsh/net/udp*") and /* noisy FPs */ not (process.parent.name : "timeout" and process.executable : "/var/lib/docker/overlay*") and not process.command_line : ("*/dev/tcp/sirh_db/*", "*/dev/tcp/remoteiot.com/*", "*dev/tcp/elk.stag.one/*", "*dev/tcp/kafka/*", "*/dev/tcp/$0/$1*", "*/dev/tcp/127.*", "*/dev/udp/127.*", "*/dev/tcp/localhost/*") and not process.parent.command_line : "runc init" ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/"