Adversaries may establish a reverse shell using Xterm to maintain command and control over compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential persistent access and exfiltration activities.
Detection Rule
title: Potential Xterm Reverse Shell
id: 4e25af4b-246d-44ea-8563-e42aacab006b
status: test
description: Detects usage of "xterm" as a potential reverse shell tunnel
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: '@d4ns4n_'
date: 2023-04-24
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: linux
detection:
selection:
Image|contains: 'xterm'
CommandLine|contains: '-display'
CommandLine|endswith: ':1'
condition: selection
falsepositives:
- Unknown
level: medium
imProcessCreate
| where TargetProcessName contains "xterm" and TargetProcessCommandLine contains "-display" and TargetProcessCommandLine endswith ":1"Scenario: Scheduled System Maintenance Task Using xterm
Description: A legitimate scheduled task runs xterm to launch a terminal session for system diagnostics.
Filter/Exclusion: Exclude processes initiated by the task scheduler (Task Scheduler service) or with CommandLine containing /usr/bin/xterm or similar paths.
Scenario: Admin Using xterm for Remote Terminal Access
Description: An administrator uses xterm to access a remote Linux server via SSH, which may trigger the rule due to the terminal usage.
Filter/Exclusion: Exclude processes where the parent process is an SSH daemon (sshd) or where the user is a known admin with elevated privileges.
Scenario: Automated Script Launching xterm for GUI Interaction
Description: A script or automation tool launches xterm to interact with a GUI application (e.g., for monitoring or configuration).
Filter/Exclusion: Exclude processes where the command line includes -display or -geometry flags, or where the script is known to be part of a legitimate automation framework.
Scenario: Log Analysis Tool Using xterm for Debugging
Description: A log analysis tool (e.g., logrotate, rsyslog, or splunk) uses xterm to display logs in a terminal for debugging purposes.
Filter/Exclusion: Exclude processes with command lines containing logrotate, rsyslog, or splunk in the CommandLine field.
Scenario: User Launching xterm for Normal Terminal Usage
Description: A regular user opens xterm to perform routine command-line tasks (e.g., file management, script execution).
Filter/Exclusion: Exclude processes where the user is not a privileged user, or where the