Terrance DeJesus
532245cc20
* added 'Uncommon Process Execution from Suspicious Directory' hunt
* adds all linux hunting files
* moves linux hunting files to queries folder
* adds generated docs
* fixing windows hunts
* fixing windows hunts
* updated README
* Removed 2, updated a few, changed some names/descriptions and added list of str
* updated windows for language schema changes, regenerated docs; updated README and index
* changed UUIDs to hex only with standard hyphen format
* removing unecessary docs
* Fixed queries based on Samir feedback
* ++
* regenerating linux docs
* Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update hunting/linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update hunting/linux/queries/defense_evasion_via_capitalized_process_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Updates
* Update
* Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Updates
* regenerating linux docs
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
(cherry picked from commit f0b2cb7c87)
1.9 KiB
1.9 KiB
Persistence Through Reverse/Bind Shells
Metadata
-
Author: Elastic
-
Description: This hunt provides several OSQuery queries that can aid in the detection of reverse/bind shells. Reverse shells are a type of shell in which the target machine communicates back to the attacking machine. Bind shells are a type of shell in which the target machine opens a communication port on the victim machine and waits for an attacker to connect to it. These shells can be used by attackers to gain remote access to a system.
-
UUID:
7422faf1-ba51-49c3-b8ba-13759e6bcec4 -
Integration: endpoint
-
Language:
[SQL]
Query
SELECT (
CASE family
WHEN 2 THEN 'IP4'
WHEN 10 THEN 'IP6'
ELSE family END
) AS family, (
CASE protocol
WHEN 6 THEN 'TCP'
WHEN 17 THEN 'UDP'
ELSE protocol END
) AS protocol, local_address, local_port,
remote_address, remote_port
FROM process_open_sockets
WHERE family IN (2, 10)
AND protocol IN (6, 17)
SELECT cmdline, name, path, pid, state, threads, total_size
FROM processes
WHERE cmdline != ''
SELECT pid, address, port, socket, protocol, path FROM listening_ports
Notes
- The hunt provides OSQuery queries to detect reverse/bind shells on Linux systems.
- The first hunt query retrieves information about open sockets on the system.
- The second hunt query retrieves information about running processes on the system.
- The third hunt query retrieves information about listening ports on the system.
- Investigate strange or unexpected open sockets, processes, or listening ports on the system.
- Use the information from each hunt to pivot and investigate further for potential reverse/bind shells.
MITRE ATT&CK Techniques
License
Elastic License v2