Interactive shell compromise attack
Goal
Detect interactive shell compromise attacks by correlating multiple indicators of shell-based access, post-exploitation activity, and evasion within the same execution context.
Strategy
This correlation rule identifies shell compromise operations by detecting combinations of the following activity groups:
- Interactive Access: Interactive shell in container, TTY shell, user-created or deleted TTY, or AppArmor-modified TTY sessions
- Remote Access: SSH sessions, outbound SSH connections, non-standard SSH connections, Kubernetes user sessions, or tmate usage
- Reconnaissance: System enumeration (for example, whoami, lsmod), kernel module listing, network intrusion utilities, sniffing tools, container breakout enumeration, image enumeration, credential discovery, management socket access, IP check domains, debugfs usage, offensive Kubernetes tools, or mounting in container
- Evasion: Shell history deletion, truncation, or symlink manipulation, system log deletion, auditd configuration or rule modification, SELinux enforcement disabling, self-unlinking, memfd_create, prctl masquerading, /dev/shm execution, or hidden file execution
- Persistence: Cron or at job creation, SSH authorized keys modification, systemd unit modification, rc script modification, shell profile modification, credential modification, or passwd execution
- Reverse Shell: Netcat shell, socat shell, Perl shell, shell network connections, or tunnel traffic
The rule triggers different severity levels based on the combination of detected activities:
| Case | Severity | Condition |
|---|
| Full Interactive Compromise | Critical | Interactive Access + Reconnaissance + Evasion + Persistence |
| Full Remote Compromise | Critical | Remote Access + Reconnaissance + Evasion + Persistence |
| Interactive Reverse Shell with Evasion | Critical | Interactive Access + Reverse Shell + Evasion |
| Remote Reverse Shell with Evasion | Critical | Remote Access + Reverse Shell + Evasion |
| Interactive Shell Recon and Evasion | High | Interactive Access + Reconnaissance + Evasion |
| Remote Shell Recon and Evasion | High | Remote Access + Reconnaissance + Evasion |
| Interactive Shell with Persistence | High | Interactive Access + Reconnaissance + Persistence |
| Remote Shell with Persistence | High | Remote Access + Reconnaissance + Persistence |
| Interactive Shell with Reverse Shell | Medium | Interactive Access + Reverse Shell |
| Remote Shell with Reverse Shell | Medium | Remote Access + Reverse Shell |
Triage & Response
Terminate shell sessions: Immediately stop the identified shell process(es).
Isolate the system: Disconnect the affected host and container (or pod) from the network.
Analyze shell access method: Determine how shell access was obtained (SSH, web shell, container exec) by examining parent process(es).
Review executed commands: Analyze process arguments and reconstruct command history.
Check reconnaissance activities: Investigate what system information was gathered and what tools were executed.
Restore deleted evidence: Recover shell history and system logs from backups if they were deleted or modified.
Validate user access: Verify legitimacy of Kubernetes or session user access where applicable.
Hunt for lateral movement: Search for signs of movement to other systems using the compromised shell access.
Remediate and harden: Close the access vector, reset credentials, and implement enhanced monitoring.
