Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Potential Perl Reverse Shell Execution

Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)Created Fri Apr 07259df6bc-003f-4306-9f54-4ff1a08fa38elinux
Log Source
LinuxProcess Creation
ProductLinux← raw: linux
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        Image|endswith: '/perl'
        CommandLine|contains: ' -e '
    selection_content:
        - CommandLine|contains|all:
              - 'fdopen('
              - '::Socket::INET'
        - CommandLine|contains|all:
              - 'Socket'
              - 'connect'
              - 'open'
              - 'exec'
    condition: all of selection_*
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
pentestmonkey.net
2
Resolving title…
revshells.com
MITRE ATT&CK
Rule Metadata
Rule ID
259df6bc-003f-4306-9f54-4ff1a08fa38e
Status
test
Level
high
Type
Detection
Created
Fri Apr 07
Author
@d4ns4n_, Nasreddine Bencherchali (Nextron Systems)
Path
rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml
Raw Tags
attack.execution
View on GitHub