1. Overview

Reverse shell is a method used by attackers for gaining access to a victim’s system. A reverse shell is a established by a malicious payload executed on a targeted resource which connects to a pre-configured host and provides an attacker the means to execute interactive shell commands through that connection.

2. Investigation

In the following incident, you can see that a reverse shell was used to provide a remote user interactive shell on this host, potentially enabling an attacker to execute any command that the user used to launch the reverse shell is authorized to execute.

reverse shell

The first step in an investigation is to validate that the reverse shell represent a bona fide security incident. While it is unlikely that a legitimate application or user is using a reverse shell for legitimate reasons, the first step should be validation that the reported application and user have not used reverse shell intentionally.

In this case it appears that a user used nc in order to allow a remote shell via ssh. "View forensics data" can be used to gain better understanding on what was done via the shell and understand whether this was for legitimate activity.

Having determined that this is a bona fide incident, the next steps focus on determining how an attacker managed to execute the process that allowed them to initiate the remote shell.

Check Incident Explorer for additional incidents. Review additional runtime audits for the source to see if there are other clues.

Review access to the resources and ensure that the affected account(s) weren’t subsequently used for further access to systems and data.

3. Mitigation

A full mitigation strategy for this incident begins with resolving the issues that allowed the attacker to execute the process that initiated the remote shell.

Ensure that compliance benchmarks and patches are appropriately applied to the affected resources. For example, an unpatched critical vulnerability can be abused to execute a process that allows for the remote shell to be triggered remotely.