Detectionmediumtest

Potential Xterm Reverse Shell

Detects usage of "xterm" as a potential reverse shell tunnel

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

@d4ns4n_Created Mon Apr 244e25af4b-246d-44ea-8563-e42aacab006blinux

Log Source

LinuxProcess Creation

ProductLinux← raw: linux

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|contains: 'xterm'
        CommandLine|contains: '-display'
        CommandLine|endswith: ':1'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0002 · Execution

Techniques

T1059 · Command and Scripting Interpreter

Rule Metadata

Rule ID

4e25af4b-246d-44ea-8563-e42aacab006b

Status

test

Level

medium

Type

Detection

Created

Mon Apr 24

Author

@d4ns4n_

Path

rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml

Raw Tags

attack.executionattack.t1059

View on GitHub