Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potential Ruby Reverse Shell

Detects execution of ruby with the "-e" flag and calls to "socket" related functions. This could be an indication of a potential attempt to setup a reverse shell

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
@d4ns4n_Created Fri Apr 07b8bdac18-c06e-4016-ac30-221553e74f59linux
Log Source
LinuxProcess Creation
ProductLinux← raw: linux
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|contains: 'ruby'
        CommandLine|contains|all:
            - ' -e'
            - 'rsocket'
            - 'TCPSocket'
        CommandLine|contains:
            - ' ash'
            - ' bash'
            - ' bsh'
            - ' csh'
            - ' ksh'
            - ' pdksh'
            - ' sh'
            - ' tcsh'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
pentestmonkey.net
2
Resolving title…
revshells.com
MITRE ATT&CK
Rule Metadata
Rule ID
b8bdac18-c06e-4016-ac30-221553e74f59
Status
test
Level
medium
Type
Detection
Created
Fri Apr 07
Author
@d4ns4n_
Path
rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml
Raw Tags
attack.execution
View on GitHub