---
title: Remote shell detected
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Remote shell detected
---

# Remote shell detected
Classification:attackTactic:[TA0011-command-and-control](https://attack.mitre.org/tactics/TA0011)Technique:[T1059-command-and-scripting-interpreter](https://attack.mitre.org/techniques/T1059) 
## Goal{% #goal %}

Detect reverse or bind shells by identifying a shell process opening a network connection. This pattern is a strong indicator of an interactive shell being tunneled over the network, and is commonly used in post-exploitation activity.

## Strategy{% #strategy %}

This rule fires on Network Activity Open events (`ocsf.class_uid:4001 @ocsf.activity_id:1`) where the actor process name is a common Linux shell. It is the cross-source counterpart to the `linux-audit-logs` rule of the same name and excludes that source so it does not double-fire on auditd events, which require event-id correlation across SYSCALL and SOCKADDR records to recover the destination endpoint.

## Triage and response{% #triage-and-response %}

1. Identify the remote endpoint from `{{@ocsf.dst_endpoint.ip}}` and `{{@ocsf.dst_endpoint.port}}`.
1. Determine the user context of the shell process using `{{@ocsf.actor.user.name}}` on host `{{host}}`.
1. Check for signs of initial access: review authentication logs, web server logs, and any recently executed commands.
1. Isolate the host if a reverse shell is confirmed and begin incident response.
1. Block the remote IP at the network perimeter.
1. Preserve forensic evidence before terminating the session.