Interactive shell compromise attack

Classification:

attack

Tactic:

TA0002-execution

Technique:

T1609-container-administration-command

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect interactive shell compromise attacks by correlating multiple indicators of shell-based access, post-exploitation activity, and evasion within the same execution context.

Strategy

This correlation rule identifies shell compromise operations by detecting combinations of the following activity groups:

  • Interactive Access: Interactive shell in container, TTY shell, user-created or deleted TTY, or AppArmor-modified TTY sessions
  • Remote Access: SSH sessions, outbound SSH connections, non-standard SSH connections, Kubernetes user sessions, or tmate usage
  • Reconnaissance: System enumeration (for example, whoami, lsmod), kernel module listing, network intrusion utilities, sniffing tools, container breakout enumeration, image enumeration, credential discovery, management socket access, IP check domains, debugfs usage, offensive Kubernetes tools, or mounting in container
  • Evasion: Shell history deletion, truncation, or symlink manipulation, system log deletion, auditd configuration or rule modification, SELinux enforcement disabling, self-unlinking, memfd_create, prctl masquerading, /dev/shm execution, or hidden file execution
  • Persistence: Cron or at job creation, SSH authorized keys modification, systemd unit modification, rc script modification, shell profile modification, credential modification, or passwd execution
  • Reverse Shell: Netcat shell, socat shell, Perl shell, shell network connections, or tunnel traffic

The rule triggers different severity levels based on the combination of detected activities:

CaseSeverityCondition
Full Interactive CompromiseCriticalInteractive Access + Reconnaissance + Evasion + Persistence
Full Remote CompromiseCriticalRemote Access + Reconnaissance + Evasion + Persistence
Interactive Reverse Shell with EvasionCriticalInteractive Access + Reverse Shell + Evasion
Remote Reverse Shell with EvasionCriticalRemote Access + Reverse Shell + Evasion
Interactive Shell Recon and EvasionHighInteractive Access + Reconnaissance + Evasion
Remote Shell Recon and EvasionHighRemote Access + Reconnaissance + Evasion
Interactive Shell with PersistenceHighInteractive Access + Reconnaissance + Persistence
Remote Shell with PersistenceHighRemote Access + Reconnaissance + Persistence
Interactive Shell with Reverse ShellMediumInteractive Access + Reverse Shell
Remote Shell with Reverse ShellMediumRemote Access + Reverse Shell

Triage & Response

  1. Terminate shell sessions: Immediately stop the identified shell process(es).

  2. Isolate the system: Disconnect the affected host and container (or pod) from the network.

  3. Analyze shell access method: Determine how shell access was obtained (SSH, web shell, container exec) by examining parent process(es).

  4. Review executed commands: Analyze process arguments and reconstruct command history.

  5. Check reconnaissance activities: Investigate what system information was gathered and what tools were executed.

  6. Restore deleted evidence: Recover shell history and system logs from backups if they were deleted or modified.

  7. Validate user access: Verify legitimacy of Kubernetes or session user access where applicable.

  8. Hunt for lateral movement: Search for signs of movement to other systems using the compromised shell access.

  9. Remediate and harden: Close the access vector, reset credentials, and implement enhanced monitoring.