Post compromise shell detected

Goal

Detect attempts to create an interactive shell from common web or application processes.

Strategy

Many applications (for example, certain databases, web servers, and search engines) are hosted by binaries that run on the host. Attackers may take advantage of flaws in programs built with these applications (for example, SQL injection on a database running as a Java process).

This detection triggers when a process spawns common shell utilities, HTTP utilities, or shells with arguments that are known to be used to establish shells on the targeted asset. If this is unexpected behavior, it could indicate an attacker is attempting to compromise your host.

Requires Agent version 7.27 or later.