Versions (4)
Version DetailsCurrent
Rev: 1 • Mar 23, 2023, 12:00 PMET ATTACK_RESPONSE Interactive Reverse Shell Without TTY (Outbound)
alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Interactive Reverse Shell Without TTY (Outbound)"; flow:established,to_server; pcre:"/^(?:ba)?sh/"; content:"|3a 20|no|20|job|20|control|20|in|20|this|20|shell"; fast_pattern; within:30; reference:url,pentestmonkey.net/blog/post-exploitation-without-a-tty; reference:url,www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated; classtype:successful-admin; sid:2044751; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2023_03_23, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_03_23, reviewed_at 2024_01_26;)
Mar 23, 2023, 12:00 PM
Mar 23, 2023, 12:00 PM
Sep 21, 2024, 3:00 AM
Aug 25, 2025, 9:35 PM
rules/emerging-attack_response.rules