tencent cloud

Feedback

Reverse Shell

Last updated: 2024-08-13 16:29:50
    This document will introduce how to view and handle reverse shell details, and guide you on creating an allowlist for setting permitted reverse connection behaviors.

    Overview

    The reverse shell feature is powered by Tencent Cloud's advanced security technologies and multidimensional approaches, enabling the identification and recording of reverse shell connections on the servers and providing real-time monitoring capabilities for reverse shell behaviors on your CVMs.

    Prerequisites

    The reverse shell feature is only supported by hosts of Pro or Ultimate Edition. Basic Edition hosts need to upgrade to Pro edition or Ultimate edition to use this feature.

    Alert List

    1. Log in to the CWPP console. In the left sidebar, choose Intrusion Detection > Reverse Shell to enter the alarm list page of the reverse shell.
    2. On the alarm list page, you can view the alarm events of the reverse shell and perform related operations.
    
    Filter: Supports filtering by detected time, status, and keywords.
    Custom display columns: Click
    
    to set the fields displayed in the alarm list.
    Export: Click
    
    to export detailed information from the alarm list.
    Field Description:
    Server Name/Instance ID: The host name/instance ID controlled by the attacker's reverse shell.
    IP Address: The host IP controlled by the attacker's reverse shell.
    Connection Process: Processes on the host that establish reverse shell connections.
    Executable Command: Commands executed by the host for reverse shell connections.
    Risk Level: High-risk (target host IP is a public IP), and medium-risk (target host IP is a LAN IP).
    Parent Process: The parent process of the connecting process.
    Target Server: The target host of the reverse shell connection.
    Target Port: The target port of the reverse shell connection.
    Detected Time: The time at which the reverse shell behavior was detected.
    Check Method:
    Behavior analysis: Detect potential threats or abnormal behaviors through monitoring systems and network activities.
    Command feature detection: Identify and monitor command behaviors that may be related to reverse shells by analyzing commands (e.g., high-privilege commands, unconventional commands, and anomalous parameters).
    Status: Pending, allowlisted, processed, and ignored.
    Details: View detailed information about the reverse shell, including risk host information, connection process information, danger description, and fix suggestions.
    
    Process: Mark as processed, add to allowlist, ignore, and delete log.
    
    3. Display of private network reverse shell alarms.
    3.1 Due to the large number of private network reverse shell alarms, the detection engine for private network reverse shell is disabled by default. To enable it, click Reverse Shell Settings in the upper right corner of the page to configure.
    3.2 On the reverse shell settings page, you can define whether to enable private network reverse shell detection. If enabled, the system will support detection and report alarm data. If disabled, the system will stop detection.
    
    3.3 Additionally, you can set whether to display private network alarm data in the reverse shell configuration page drawer or at the top of the alarm list. If checked, the alarm list will display private network alarm data. If unchecked, it will not display private network alarm data.
    

    Allowlist Management

    At the top of the reverse shell page, select Allowlist Policies to enter the allowlist management page.
    
    Filter: Supports filtering by connected processes.
    Custom Display Columns: Click
    
    to set the fields displayed in the policy list.
    Field Description:
    Server: Servers on which the allowlist is effective.
    Connection Process: Connection processes added to the allowlist.
    Target Server: The target host of the reverse shell.
    Target Port: The target port of the reverse shell.
    Creation Time: The creation time of the allowlist.
    Update Time: The update time of the allowlist.
    Edit: Edit the allowlist.
    Delete: Delete the allowlist.
    Add Allowlist:
    
    Note:
    IP format: Single IP (127.0.0.1), IP address (127.0.0.1-127.0.0.254), and IP range (127.0.0.1/24).
    Port format: 80, 8080 (supports multiple ports separated by commas. Leave empty if there is no limit).
    When both conditions are checked, both must be met to hit the allowlist.
    If all servers are chosen in the server range, this allowlist will be added to all servers under the user's APPID. Proceed with caution.
    
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support