The reverse-shell-ransomware-macos detection identifies potential ransomware activity on macOS systems where an adversary establishes a reverse shell to exfiltrate data or deploy malicious payloads. SOC teams should proactively hunt for this behavior to detect and mitigate early-stage ransomware attacks that target macOS environments, which are increasingly becoming a focus for cybercriminals.
KQL Query
union DeviceFileEvents, DeviceProcessEvents
| where Timestamp >= ago(7d)
| where ProcessCommandLine has "bash -i >& /dev/tcp/"
id: 936d985d-f44c-4ec7-81ae-7aa1995f940d
name: reverse-shell-ransomware-macos
description: |
This query was originally published in the threat analytics report, EvilQuest signals the rise of Mac ransomware.
As of the time of this writing (October 2020), ransomware designed to target macOS is relatively rare. EvilQuest is one of the few examples of this kind of malware on the platform.
The query below can help locate a reverse shell established by an attacker. The command the query searches for is associated with, but not definitely indicative of, EvilQuest infections.
Other queries related to EvilQuest ransomware can be found under the See also section below.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
- DeviceProcessEvents
tactics:
- Command and control
query: |
union DeviceFileEvents, DeviceProcessEvents
| where Timestamp >= ago(7d)
| where ProcessCommandLine has "bash -i >& /dev/tcp/"
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: System Maintenance Script Execution
Description: A legitimate system maintenance script (e.g., cron job or launchd plist) is executed that includes a reverse shell payload as part of a diagnostic or troubleshooting process.
Filter/Exclusion: Exclude processes initiated by cron or launchd with known maintenance scripts (e.g., /usr/sbin/system_profiler, /usr/sbin/launchctl).
Scenario: Admin Task with Sudo Privileges
Description: An administrator is performing a routine task (e.g., updating software or configuring a service) using sudo, which may involve executing commands that resemble reverse shell patterns.
Filter/Exclusion: Exclude processes with sudo in the command line or where the user is a known admin (e.g., root, admin_user) and the command is part of a documented administrative task.
Scenario: Scheduled Job with Network Connectivity
Description: A scheduled job (e.g., a backup or monitoring script) is configured to communicate with an internal server or cloud service, which may trigger the reverse shell detection due to network activity.
Filter/Exclusion: Exclude processes that match known internal services (e.g., backup_script.sh, monitoring_tool.sh) or have IP addresses within the internal network range.
Scenario: Malicious Tool with Legitimate Behavior
Description: A legitimate security tool (e.g., tcpdump, wireshark, or nmap) is used to capture or analyze network traffic, which may include reverse shell-like behavior during packet inspection.
Filter/Exclusion: Exclude processes related to network analysis tools (e.g., tcpdump, nmap, wireshark) or those running with elevated privileges for packet capture.
Scenario: Remote Management Tool Usage
Description: A