This note documents detection patterns related to Suspicious Outbound Connections on Linux systems.
Direct Indicators
| Source | Grep Pattern / Artifact | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Shell history | nc | Netcat outbound connection | Critical | Common reverse shell and exfil primitive. |
| Shell history | bash -i >& /dev/tcp/ | Native bash reverse shell | Critical | High-confidence malicious outbound execution. |
| Shell history | curl http:// | Direct outbound retrieval / callback | High | Context determines maliciousness. |
| Shell history | wget http:// | Outbound retrieval | High | Often staging precursor. |
| Shell history | python -c socket | Scripted socket callback | Critical | Common custom reverse shell. |
| Shell history | openssl s_client | Encrypted outbound tunnel | High | Sometimes used for stealth shells. |
| Shell history | socat TCP: | Advanced socket pivot | Critical | Strong operator indicator. |
| Process list | unknown process with ESTABLISHED connection | Active beacon/payload | Critical | Runtime truth. |
ss -plant / netstat -plant | outbound unusual remote IP | Active network compromise | Critical | Immediate live evidence. |
lsof -i | PID owning suspicious socket | Attribution | Critical | Connect process to artifact. |
auditd | execve before outbound socket | Process truth | Critical | Strong attribution. |
journalctl | service opening external connection | Runtime clue | High | Service-linked callbacks. |
| Firewall logs | outbound uncommon destination | Network proof | Critical | Especially rare countries / infra. |
| DNS logs | suspicious domain lookup | Pre-connection clue | High | Often precedes callback. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Outbound connection after temp payload | Active payload execution | Critical | Strong stage-to-callback chain. |
| Outbound immediately after login | Manual operator callback | Critical | Common foothold progression. |
| Repeated short interval callbacks | Beaconing | Critical | Strong C2 pattern. |
| Outbound from service account | Suspicious context | Critical | Often exploitation path. |
| Connection to raw IP | Operator infra | High | Often suspicious. |
| TLS without expected process | Hidden encrypted tunnel | High | Process attribution critical. |
| Same IP contacted by multiple payloads | Central operator infra | Critical | Campaign clue. |
| Outbound plus cron/service | Persistent beacon | Critical | Operationalized persistence. |
| Hidden binary owns socket | Concealed payload active | Critical | Strong malicious signal. |
| Deleted payload but socket persists | Running deleted process | Critical | High-value live clue. |
Common Tools
| Tool | Usage |
|---|---|
nc | Reverse shell / exfiltration. |
bash /dev/tcp | Native reverse shell. |
curl | Callback or exfil channel. |
wget | Retrieval and callbacks. |
python socket | Scripted network shell. |
socat | Advanced pivoting / tunnels. |
openssl s_client | Encrypted channel. |
Relevant Artifacts
| Artifact | Path / Command | Forensic Value | Notes |
|---|---|---|---|
| Live sockets | ss -plant, netstat -plant | Critical | Immediate runtime truth. |
| Process attribution | lsof -i | Critical | Maps PID to socket. |
| Shell history | .bash_history, .zsh_history | Critical | Launch evidence. |
| Audit logs | /var/log/audit/audit.log | Critical | Process attribution. |
| Firewall logs | nftables / iptables / EDR | Critical | Network truth. |
| DNS logs | resolver / cache logs | High | Domain clue. |
| Payload paths | temp / hidden files | Critical | Owning executable. |
MITRE ATT&CK References
- T1071 Application Layer Protocol
- T1105 Ingress Tool Transfer
- T1041 Exfiltration Over C2 Channel
Decision Tree
-
Is outbound connection active?
- Enumerate sockets and owning processes.
-
Which process owns it?
- PID, path, user, parent.
-
Is destination expected?
- IP, domain, port, geography.
-
Is command history aligned?
- Reverse shell / downloader / tunnel.
-
Is persistence linked?
- Cron, services, startup, hidden payloads.
-
Pivot
- Process → file path.
- IP/domain → timeline.
- User → access context.
-
Confirm malicious outbound
- Suspicious process + unknown remote endpoint + intrusion context = strong callback finding.
Example Detection Templates
Grep
grep -R "nc \|/dev/tcp/\|python -c.*socket\|socat TCP:\|openssl s_client" /home/*/.bash_history /root/.bash_history 2>/dev/null
grep -R "curl http\|wget http" /home/*/.bash_history /root/.bash_history 2>/dev/null
Journalctl
journalctl | grep -E "connect|socket|network"
File Inspection
ss -plant
lsof -i
Sigma
title: Linux Suspicious Outbound Connections
id: linux-suspicious-outbound-connections
status: experimental
description: Detects suspicious outbound connection behavior associated with payloads or reverse shells
logsource:
product: linux
detection:
selection_keywords:
message|contains:
- 'nc '
- '/dev/tcp/'
- 'socat'
- 'openssl s_client'
condition: selection_keywords
fields:
- message
- hostname
falsepositives:
- Legitimate troubleshooting or admin tunneling
level: high
tags:
- attack.command_and_control
- attack.t1071
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Egress filtering | Restrict arbitrary outbound traffic | Critical | Major callback reduction. |
| Process monitoring | Alert on unusual socket owners | Critical | Strong runtime detection. |
| Auditd | Track execve before network actions | High | Attribution layer. |
| DNS monitoring | Watch unusual domains | High | Early signal. |
| Temp execution control | Reduce payload callback options | High | Indirect prevention. |
Fast Triage Checks
| Question | Command / Artifact | Why It Matters |
|---|---|---|
| Any suspicious ESTABLISHED sockets? | ss / lsof | Immediate runtime proof. |
| Which process owns socket? | PID attribution | Core truth. |
| Is remote IP expected? | destination review | Suspicion scoring. |
| Was shell command used? | grep history | Launch evidence. |
| Is payload hidden/temp? | inspect process path | Stealth clue. |
| Is persistence linked? | cron/service review | Operationalization. |
High Value Grep Strings
| Pattern | Why It Matters |
|---|---|
nc | Netcat shell or exfil. |
/dev/tcp/ | Native bash callback. |
python -c | Scripted socket shell. |
socat TCP: | Advanced pivot. |
openssl s_client | Encrypted tunnel. |
curl http | Callback or staging. |
wget http | Callback or staging. |
Analyst Notes
| Scenario | Interpretation |
|---|---|
| Temp payload owns ESTABLISHED socket | Strong active compromise. |
| Hidden file owns socket | Concealed beacon likely. |
| Repeated outbound every minute | Beaconing pattern. |
| Socket survives deleted file | Running deleted payload. |
| Service account outbound TLS | Suspicious unless expected. |
| Netcat + external IP | Very strong operator evidence. |