Terrance DeJesus
f0b2cb7c87
* added 'Uncommon Process Execution from Suspicious Directory' hunt * adds all linux hunting files * moves linux hunting files to queries folder * adds generated docs * fixing windows hunts * fixing windows hunts * updated README * Removed 2, updated a few, changed some names/descriptions and added list of str * updated windows for language schema changes, regenerated docs; updated README and index * changed UUIDs to hex only with standard hyphen format * removing unecessary docs * Fixed queries based on Samir feedback * ++ * regenerating linux docs * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_capitalized_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * Update * Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Updates * regenerating linux docs --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
59 lines
1.9 KiB
Markdown
59 lines
1.9 KiB
Markdown
# Persistence Through Reverse/Bind Shells
|
|
|
|
---
|
|
|
|
## Metadata
|
|
|
|
- **Author:** Elastic
|
|
- **Description:** This hunt provides several OSQuery queries that can aid in the detection of reverse/bind shells. Reverse shells are a type of shell in which the target machine communicates back to the attacking machine. Bind shells are a type of shell in which the target machine opens a communication port on the victim machine and waits for an attacker to connect to it. These shells can be used by attackers to gain remote access to a system.
|
|
|
|
- **UUID:** `7422faf1-ba51-49c3-b8ba-13759e6bcec4`
|
|
- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
|
|
- **Language:** `[SQL]`
|
|
|
|
## Query
|
|
|
|
```sql
|
|
SELECT (
|
|
CASE family
|
|
WHEN 2 THEN 'IP4'
|
|
WHEN 10 THEN 'IP6'
|
|
ELSE family END
|
|
) AS family, (
|
|
CASE protocol
|
|
WHEN 6 THEN 'TCP'
|
|
WHEN 17 THEN 'UDP'
|
|
ELSE protocol END
|
|
) AS protocol, local_address, local_port,
|
|
remote_address, remote_port
|
|
FROM process_open_sockets
|
|
WHERE family IN (2, 10)
|
|
AND protocol IN (6, 17)
|
|
```
|
|
|
|
```sql
|
|
SELECT cmdline, name, path, pid, state, threads, total_size
|
|
FROM processes
|
|
WHERE cmdline != ''
|
|
```
|
|
|
|
```sql
|
|
SELECT pid, address, port, socket, protocol, path FROM listening_ports
|
|
```
|
|
|
|
## Notes
|
|
|
|
- The hunt provides OSQuery queries to detect reverse/bind shells on Linux systems.
|
|
- The first hunt query retrieves information about open sockets on the system.
|
|
- The second hunt query retrieves information about running processes on the system.
|
|
- The third hunt query retrieves information about listening ports on the system.
|
|
- Investigate strange or unexpected open sockets, processes, or listening ports on the system.
|
|
- Use the information from each hunt to pivot and investigate further for potential reverse/bind shells.
|
|
## MITRE ATT&CK Techniques
|
|
|
|
- [T1059.004](https://attack.mitre.org/techniques/T1059/004)
|
|
|
|
## License
|
|
|
|
- `Elastic License v2`
|