Release Notes and Announcements

Release Notes

Announcements

Getting Started

Product Introduction

Overview

Advantages

Basic Concepts

Scenarios

Associated Products

Features in Different Editions

Purchase Guide

Purchase Security Protection Licenses

Purchasing Log Analysis Service

Quick Start

Operation Guide

Security Dashboard

Asset Overview

Server List

Asset Fingerprint

Vulnerability Management

Baseline Management

Malicious File Scan

Unusual Login

Password Cracking

Malicious Requests

High-risk Commands

Local Privilege Escalation

Reverse Shell

Java Webshell

Critical File Monitor

Network Attack

A Ransomware Defense

Log Analysis

License Management

Alarm Setting

Cloud Access Management

Hybrid Cloud Installation Guide

FAQs for Beginners

Cloud Workload Protection Description

Feature Description

Agent Process Description

A Security Baseline Detection List

Parsing of JSON Format Alarm Data

Log Field Data Parsing

Agent Installation Guide

Security Score Overview

Practical Tutorial

Auto Fix of Vulnerabilities

Malicious File Processing

Troubleshooting

Intrusions on Linux

Intrusions on Windows

Offline Agent on Linux

Offline Agent on Windows

An Abnormal Log-in Notification

API Documentation

History

Introduction

API Category

Asset Management APIs

Virus Scanning APIs

Abnormal Log-in APIs

Password Cracking APIs

Malicious Request APIs

High-Risk Command APIs

Local Privilege Escalation APIs

Reverse Shell APIs

Vulnerability Management APIs

New Baseline Management APIs

Baseline Management APIs

Advanced Defense APIs

Security Operation APIs

Expert Service APIs

Other APIs

Overview Statistics APIs

Settings Center APIs

Making API Requests

Intrusion Detection APIs

Data Types

Error Codes

FAQs

Agreements

Service Level Agreement

Data Processing And Security Agreement

Glossary

Reverse Shell

PDF

Focus Mode

Font Size

Last updated: 2024-08-13 16:29:50

This document will introduce how to view and handle reverse shell details, and guide you on creating an allowlist for setting permitted reverse connection behaviors.
Overview
The reverse shell feature is powered by Tencent Cloud's advanced security technologies and multidimensional approaches, enabling the identification and recording of reverse shell connections on the servers and providing real-time monitoring capabilities for reverse shell behaviors on your CVMs.
Prerequisites
The reverse shell feature is only supported by hosts of Pro or Ultimate Edition. Basic Edition hosts need to upgrade to Pro edition or Ultimate edition to use this feature.
Alert List
1. Log in to the CWPP console. In the left sidebar, choose Intrusion Detection > Reverse Shell to enter the alarm list page of the reverse shell.
2. On the alarm list page, you can view the alarm events of the reverse shell and perform related operations.
﻿
Filter: Supports filtering by detected time, status, and keywords.
Custom display columns: Click 
﻿
 to set the fields displayed in the alarm list.
Export: Click 
﻿
 to export detailed information from the alarm list.
Field Description:
Server Name/Instance ID: The host name/instance ID controlled by the attacker's reverse shell.
IP Address: The host IP controlled by the attacker's reverse shell.
Connection Process: Processes on the host that establish reverse shell connections.
Executable Command: Commands executed by the host for reverse shell connections.
Risk Level: High-risk (target host IP is a public IP), and medium-risk (target host IP is a LAN IP).
Parent Process: The parent process of the connecting process.
Target Server: The target host of the reverse shell connection.
Target Port: The target port of the reverse shell connection.
Detected Time: The time at which the reverse shell behavior was detected.
Check Method:
Behavior analysis: Detect potential threats or abnormal behaviors through monitoring systems and network activities.
Command feature detection: Identify and monitor command behaviors that may be related to reverse shells by analyzing commands (e.g., high-privilege commands, unconventional commands, and anomalous parameters).
Status: Pending, allowlisted, processed, and ignored.
Details: View detailed information about the reverse shell, including risk host information, connection process information, danger description, and fix suggestions.
﻿
Process: Mark as processed, add to allowlist, ignore, and delete log.
﻿
3. Display of private network reverse shell alarms.
3.1 Due to the large number of private network reverse shell alarms, the detection engine for private network reverse shell is disabled by default. To enable it, click Reverse Shell Settings in the upper right corner of the page to configure.
3.2 On the reverse shell settings page, you can define whether to enable private network reverse shell detection. If enabled, the system will support detection and report alarm data. If disabled, the system will stop detection.
﻿
3.3 Additionally, you can set whether to display private network alarm data in the reverse shell configuration page drawer or at the top of the alarm list. If checked, the alarm list will display private network alarm data. If unchecked, it will not display private network alarm data.
﻿
Allowlist Management
At the top of the reverse shell page, select Allowlist Policies to enter the allowlist management page.
﻿
Filter: Supports filtering by connected processes.
Custom Display Columns: Click 
﻿
 to set the fields displayed in the policy list.
Field Description:
Server: Servers on which the allowlist is effective.
Connection Process: Connection processes added to the allowlist.
Target Server: The target host of the reverse shell.
Target Port: The target port of the reverse shell.
Creation Time: The creation time of the allowlist.
Update Time: The update time of the allowlist.
Edit: Edit the allowlist.
Delete: Delete the allowlist.
Add Allowlist:
﻿
Note:
IP format: Single IP (127.0.0.1), IP address (127.0.0.1-127.0.0.254), and IP range (127.0.0.1/24).
Port format: 80, 8080 (supports multiple ports separated by commas. Leave empty if there is no limit).
When both conditions are checked, both must be met to hit the allowlist.
If all servers are chosen in the server range, this allowlist will be added to all servers under the user's APPID. Proceed with caution.
﻿
﻿