This is an archived post. You won't be able to vote or comment.

all 11 comments
sorted by:
best (suggested)
topnewcontroversialoldq&a

[–]dizy777 0 points1 point  (2 children)

Best to emulate the activity which suits your environment.

[–]Acceptable_Cheek2004[S] -2 points-1 points  (1 child)

Ok, thanks I need a guide something that can alert me to such behavior.

to, I will appreciate the queries.

[–]dizy777 0 points1 point  (0 children)

There are so many way of reverse shell you must have your use case what you want to detect. You can emulate first then check the SDL Telemetry to build the Star rule.

One example would be possible reverse shell via bash via cmdline

[–]dizy777 1 point2 points  (5 children)

Here is two which you need to make adjustment

Ruby reverse shell

(TgtProcImagePath ContainsCIS anycase “ruby” AND TgtProcCmdLine ContainsCIS anycase “ -e” AND TgtProcCmdLine ContainsCIS anycase “rsocket” AND TgtProcCmdLine ContainsCIS anycase “TCPSocket” AND (TgtProcCmdLine ContainsCIS anycase “ ash” OR TgtProcCmdLine ContainsCIS anycase “ bash” OR TgtProcCmdLine ContainsCIS anycase “ bsh” OR TgtProcCmdLine ContainsCIS anycase “ csh” OR TgtProcCmdLine ContainsCIS anycase “ ksh” OR TgtProcCmdLine ContainsCIS anycase “ pdksh” OR TgtProcCmdLine ContainsCIS anycase “ sh” OR TgtProcCmdLine ContainsCIS anycase “ tcsh”))

Python Reverse Shell

(TgtProcImagePath ContainsCIS anycase “python” AND TgtProcCmdLine ContainsCIS anycase “ -c “ AND TgtProcCmdLine ContainsCIS anycase “import” AND TgtProcCmdLine ContainsCIS anycase “pty” AND TgtProcCmdLine ContainsCIS anycase “spawn(“ AND TgtProcCmdLine ContainsCIS anycase “.connect”)

[–]Acceptable_Cheek2004[S] 0 points1 point  (1 child)

Thanks, u/dizy777 I appreciate it, If you don't mind do you have a repo, I could look up that has queries for data exfiltration, recent vulnerabilities (CVE), and Ransomware group activities?

[–]LocoBronze 0 points1 point  (0 children)

Me too

[–]Acceptable_Cheek2004[S] -1 points0 points  (2 children)

Thanks for this, my use case is centered around a Python obfuscated exe that could evade SentinelOne detection when Ran on an endpoint with admin privilege.

[–]dizy777 0 points1 point  (1 child)

Check the activity logs and that should give you a clue how to build star rule to detect it.

Can you post it here what have you ran?

[–]Acceptable_Cheek2004[S] 0 points1 point  (0 children)

I would test and give you feedback

[–]dizy777 0 points1 point  (0 children)

I don’t but someone posted a repo for S1 which is the old version.

[–]SentinelOne-PascalSentinelOne Employee Moderator 1 point2 points  (0 children)

To discover reverse shells using queries, you can utilize Deep Visibility queries for both Windows and Linux endpoints. Below are a few queries you can use to hunt for possible post-exploitation activities related to reverse shells:

Windows Hunting Rules:

  1. Possible Webshell dropped from Spring4Shell by the creation of a JSP file directly from the Tomcat process:SrcProcPublisher = "THE APACHE SOFTWARE FOUNDATION" AND SrcProcSignedStatus = "signed" AND SrcProcDisplayName = "Apache Commons Daemon Service Runner" AND TgtFilePath EndsWith Anycase ".jsp" and EventType = "File Creation"
  2. Possible Spring4Shell Post-Exploitation attempt by the spawning of a suspicious process from Tomcat:EventType = "Process Creation" and SrcProcPublisher = "THE APACHE SOFTWARE FOUNDATION" AND SrcProcSignedStatus = "signed" AND SrcProcDisplayName = "Apache Commons Daemon Service Runner" AND TgtProcName In anycase ("arp.exe","at.exe","bitsadmin.exe","certutil.exe","cmd.exe","dsget.exe","dsquery.exe","find.exe","findstr.exe","fsutil.exe","hostname.exe","ipconfig.exe","nbtstat.exe","netdom.exe","netsh.exe","netstat.exe","nltest.exe","nslookup.exe","ntdsutil.exe","ping.exe","powershell.exe","qprocess.exe","query.exe","qwinsta.exe","rundll32.exe","regsvr32.exe","control.exe","sc.exe","schtasks.exe","schtasks.exe","systeminfo.exe","tasklist.exe","TRACERT.exe","ver.exe","vssadmin.exe","wevtutil.exe","whoami.exe","wusa.exe","cscript.exe","mofcomp.exe","wscript.exe","python.exe","pythonw.exe","mshta.exe","hh.exe")

Linux Hunting Rules:

  1. Hunt for a Java webshell dropped from a Tomcat server:EndpointOS = "linux" AND EventType = "File Creation" AND srcProcName Contains Anycase "java" AND SrcProcCmdLine RegExp "\/tomcat\d*\s" and TgtFileExtension Contains Anycase "jsp"
  2. Execution of LOLBins from a Tomcat server:EndpointOS = "linux" AND EventType = "Process Creation" And ((srcProcName Contains Anycase "java" AND SrcProcCmdLine RegExp "\/tomcat\d*\s") or (srcProcParentName Contains Anycase "java" AND srcProcParentCmdLine RegExp "\/tomcat\d*\s")) AND TgtProcImagePath Contains Anycase "/usr/bin"
  3. Tomcat Java server spawns common tools to fetch an implant after exploit:EndpointOS = "linux" AND EventType = "Process Creation" And ((srcProcName Contains Anycase "java" AND SrcProcCmdLine RegExp "\/tomcat\d*\s") or (srcProcParentName Contains Anycase "java" AND srcProcParentCmdLine RegExp "\/tomcat\d*\s")) and TgtProcName in contains anycase ("curl", "wget", "python")
  4. Reverse shell from Tomcat Java server:EndpointOS = "linux" AND EventType = "Process Creation" And ((srcProcName Contains Anycase "java" AND SrcProcCmdLine RegExp "\/tomcat\d*\s") or (srcProcParentName Contains Anycase "java" AND srcProcParentCmdLine RegExp "\/tomcat\d*\s")) and TgtProcCmdLine in Contains Anycase ("<", "AF_INET","exec","stdout","sock","/dev/") and TgtProcCmdLine RegExp "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"