Reverse Shell Detection
Detects reverse shell payloads, bind shells, and interactive shell spawning techniques across multiple languages and protocols
19 rules in reverse_shells.yml
CRITICAL: 19
| Rule ID | Severity | Title | Description | Refs |
|---|---|---|---|---|
awk_ | CRITICAL | Awk/Gawk Reverse Shell | awk/gawk/mawk/nawk uses /inet/tcp/ | |
bash_ | CRITICAL | Bash /dev/tcp Reverse Shell | Uses bash /dev/tcp to open a reverse shell connection to a remote host | |
bash_ | CRITICAL | Bash Interactive Reverse Shell | Spawns an interactive bash shell redirected to a network connection | |
dnscat2_ | CRITICAL | dnscat2 DNS-Tunneled Shell | dnscat2 is invoked with –dns/–secret/server= or the binary lives at /dnscat. dnscat2 tunnels a shell over DNS, defeating egress controls that allow recursive resolution. | |
java_ | CRITICAL | Java Runtime Exec Reverse Shell | Uses Java Runtime.getRuntime().exec() with socket redirection to spawn a reverse shell | |
lua_ | CRITICAL | Lua Reverse Shell | lua -e uses socket.tcp or os.execute with /bin/sh / cmd. Lua is preinstalled on many networking devices and routers, making this a quiet reverse-shell shape. | |
mkfifo_ | CRITICAL | Named Pipe (mkfifo) Reverse Shell | mkfifo is followed by nc/ncat/cat plumbed to /bin/sh -i. The named-pipe shape gives a working reverse shell on hosts where nc lacks -e support. | |
netcat_ | CRITICAL | Netcat Reverse Shell | nc/ncat/netcat is invoked with -e /bin/sh, -c /bin/sh, or piped to /bin/sh. All three are direct reverse / bind shell constructions. | |
node_ | CRITICAL | Node.js Reverse Shell | node -e combines child_process / net.Socket / require(‘spawn’) / require(’exec’) with connect or /bin/sh. The shape is a Node.js one-liner reverse shell. | |
openssl_ | CRITICAL | OpenSSL Encrypted Reverse Shell | openssl s_client -connect | |
perl_ | CRITICAL | Perl Reverse Shell | perl -e … uses IO::Socket / socket(AF_INET) / exec /bin/sh to spawn a reverse shell. Perl is preinstalled on most Linux boxes, making this a portable post-exploitation idiom. | |
php_ | CRITICAL | PHP Reverse Shell | php -r … combines fsockopen/socket_create/proc_open/popen with exec/passthru/shell_exec or /bin/sh. Webshells often hand off to this shape after initial access. | |
powershell_ | CRITICAL | PowerShell ConPTY/IEX Reverse Shell | Downloads and executes a PowerShell reverse shell script via IEX with TCPClient | |
powershell_ | CRITICAL | PowerShell TCP Reverse Shell | Uses PowerShell .NET sockets to establish a reverse shell connection | |
python_ | CRITICAL | Python Reverse Shell | Spawns a reverse shell using Python socket and subprocess modules | |
ruby_ | CRITICAL | Ruby Reverse Shell | ruby -e … uses TCPSocket.new/open or Socket.tcp combined with exec/spawn/system. The shape is a textbook Ruby reverse shell one-liner. | |
socat_ | CRITICAL | Socat Reverse Shell | socat builds an EXEC:/bin/sh <-> TCP[46] pair, or uses pty,stderr,setsid. socat reverse shells are TTY-grade and favoured for interactive post-exploitation. | |
telnet_ | CRITICAL | Telnet Reverse Shell | Uses telnet piped to a shell for reverse shell functionality | |
xterm_ | CRITICAL | Xterm X11 Reverse Shell | Uses xterm with -display to forward a shell over X11 to a remote attacker |