For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-cux.md. A documentation index is available at /llms.txt.

Auditd remote shell detected

linux-audit-logs

Classification:

attack

Tactic:

TA0011-command-and-control

Technique:

T1059-command-and-scripting-interpreter

Goal

Detect reverse or bind shells by identifying a bash process making a network connection. This pattern is a strong indicator of an interactive shell being tunneled over a network connection, commonly used in post-exploitation.

Strategy

This rule correlates two auditd events sharing the same event_id: a SYSCALL record showing bash (/usr/bin/bash or /bin/bash) executing a connect syscall (Network Activity, Open), and a SOCKADDR record containing the destination address. Requiring both records on the same audit event confirms a network socket was actually opened by the shell process.

Triage and response

  1. Identify the remote endpoint from {{@ocsf.dst_endpoint.ip}} and {{@ocsf.dst_endpoint.port}} in the correlated SOCKADDR record.
  2. Determine the user context of the shell process using {{@ocsf.actor.user.name}} on host {{host}}.
  3. Check for signs of initial access: review authentication logs, web server logs, and any recently executed commands.
  4. Isolate the host if a reverse shell is confirmed and begin incident response. Block the remote IP at the network perimeter.
  5. Preserve forensic evidence before terminating the session.