MEDIUM
Source
Tracee
ID
TRC-12
Version
0.1.0
Date
28 Jun 2022

Illegitimate Shell

A program on your server spawned a shell program. Shell is the linux command-line program, server programs usually don’t run shell programs, so this alert might indicate an adversary is exploiting a server program to spawn a shell on your server.

MITRE ATT&CK

Initial Access: Exploit Public-Facing Application

Rego Policy

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
package tracee.TRC_12

import data.tracee.helpers

__rego_metadoc__ := {
	"id": "TRC-12",
	"version": "0.1.0",
	"name": "Illegitimate Shell",
	"description": "A program on your server spawned a shell program. Shell is the linux command-line program, server programs usually don't run shell programs, so this alert might indicate an adversary is exploiting a server program to spawn a shell on your server.",
	"tags": ["linux", "container"],
	"properties": {
		"Severity": 2,
		"MITRE ATT&CK": "Initial Access: Exploit Public-Facing Application",
	},
}

eventSelectors := [{
	"source": "tracee",
	"name": "security_bprm_check",
	"origin": "*",
}]

tracee_selected_events[eventSelector] {
	eventSelector := eventSelectors[_]
}

tracee_match {
	input.eventName == "security_bprm_check"

	pathname := helpers.get_tracee_argument("pathname")
	binary_names = ["/ash", "/bash", "/csh", "/ksh", "/sh", "/tcsh", "/zsh", "/dash"]
	binary := binary_names[_]
	endswith(pathname, binary)

	pname := input.processName
	web_server_process_names = ["nginx", "httpd", "httpd-foregroun", "lighttpd", "apache", "apache2"]
	proc_name := web_server_process_names[_]
	pname == proc_name
}