block reverse shells batch script

Yulia Chive

3 min read

·

08-12-2024

6

0

Share

Blocking Reverse Shells in Batch Script: A Comprehensive Guide

Reverse shells are a common technique used by attackers to gain unauthorized access to a system. This article explores how to mitigate this threat by creating a batch script designed to detect and block attempts to establish a reverse shell. While no single solution provides complete protection, this approach adds a layer of security to your Windows systems.

Understanding Reverse Shells

A reverse shell works by having the compromised system connect back to a server controlled by the attacker. This allows the attacker to execute commands and control the system remotely. Batch scripts, due to their relative simplicity, are sometimes used in the initial stages of an attack. This script focuses on detecting and blocking common methods used to establish a reverse shell within batch scripts.

Identifying Suspicious Activity:

The core of our blocking mechanism lies in identifying suspicious commands commonly associated with reverse shell creation. We'll look for keywords within batch scripts that indicate attempts to establish connections using tools like netcat (nc) or similar utilities.

The Batch Script:

The following batch script scans running processes and checks their command lines for malicious keywords. It's crucial to remember this script is not foolproof; sophisticated attackers can use obfuscation techniques to bypass it.

@echo off
setlocal

:checkProcesses
tasklist /FI "STATUS eq running" /FO CSV | findstr /I /C:"nc.exe" /C:"powershell.exe -c" /C:"cmd.exe /c" /C:"curl.exe" > temp.txt

if not exist temp.txt (
  echo No suspicious processes found.
  goto :eof
)

for /f "skip=1 delims=, tokens=2" %%a in (temp.txt) do (
  set processName=%%a
  echo Checking process: !processName!
  wmic process where name="!processName!" get commandline /value > processCommand.txt

  findstr /I /C:"nc.exe -e" /C:"nc -lvp" /C:"powershell.exe IEX" /C:"cmd /c start" /C:"curl -d" processCommand.txt > null 2>&1
  if %errorlevel% == 0 (
    echo Suspicious activity detected in process: !processName!  Terminating process...
    taskkill /f /im "!processName!"
  )
)

del temp.txt
del processCommand.txt

echo Check complete.

endlocal

Explanation:

• @echo off: Prevents commands from being displayed.
• setlocal: Creates a local environment, preventing changes from affecting the global environment.
• tasklist: Lists running processes. The /FI and /FO switches filter for running processes and output in CSV format.
• findstr: Searches for keywords related to reverse shell commands (nc, powershell, curl etc.). This list should be regularly updated based on the latest attack vectors.
• wmic process: Retrieves command lines of identified processes.
• if %errorlevel% == 0: Checks if findstr found any matches. If it did (errorlevel is 0), it terminates the process.
• taskkill /f /im: Forcefully kills the specified process.
• del: Deletes temporary files.

Important Considerations:

• Keyword List: The keywords in findstr are crucial. Regularly update this list based on evolving attack techniques. Consider adding more sophisticated patterns to detect obfuscated commands.
• False Positives: This script might generate false positives. Legitimate processes might use commands that overlap with malicious ones. Careful monitoring and testing are essential.
• Bypass Techniques: Sophisticated attackers can employ techniques like process injection or obfuscation to bypass this script. This is just one layer of defense.
• Administrative Privileges: This script needs to run with administrative privileges to terminate processes.
• Regular Updates: Keep the script updated to adapt to emerging attack methods.

Additional Security Measures:

This script should be considered a supplementary security measure. Combining it with other security practices, such as:

• Regular Security Audits: Regularly scan your systems for vulnerabilities.
• Firewall Rules: Configure your firewall to block unauthorized inbound connections.
• Antivirus Software: Install and maintain updated antivirus software.
• Intrusion Detection Systems (IDS): Implement an IDS to monitor network traffic for suspicious activity.

This script provides a basic level of protection against simple reverse shell attempts. A layered security approach that incorporates multiple security controls is vital for comprehensive protection. Remember to test this script thoroughly in a controlled environment before deploying it to production systems. Always prioritize professional security assessments and penetration testing for robust protection against advanced threats.