Goal

Detect reverse or bind shells by identifying a shell process opening a network connection. This pattern is a strong indicator of an interactive shell being tunneled over the network, and is commonly used in post-exploitation activity.

Strategy

This rule fires on Network Activity Open events (ocsf.class_uid:4001 @ocsf.activity_id:1) where the actor process name is a common Linux shell. It is the cross-source counterpart to the linux-audit-logs rule of the same name and excludes that source so it does not double-fire on auditd events, which require event-id correlation across SYSCALL and SOCKADDR records to recover the destination endpoint.

Triage and response

1. Identify the remote endpoint from {{@ocsf.dst_endpoint.ip}} and {{@ocsf.dst_endpoint.port}}.
2. Determine the user context of the shell process using {{@ocsf.actor.user.name}} on host {{host}}.
3. Check for signs of initial access: review authentication logs, web server logs, and any recently executed commands.
4. Isolate the host if a reverse shell is confirmed and begin incident response.
5. Block the remote IP at the network perimeter.
6. Preserve forensic evidence before terminating the session.