Robust Large-Scale Detection of Living-Off-the-Land Reverse Shells via Data Synthesis

Living-off-the-land (LOTL) techniques, which exploit legitimate system utilities to execute malicious commands, pose significant challenges to cyber-threat detection by blending with benign behavior. Current state-of-the-art machine learning (ML) detection methods suffer from two critical limitations: (1) a need for large-scale datasets that capture LOTL behaviors, essential for detection at low false-positive rates (FPR) and high true-positive rates (TPR), and (2) a lack of adversarial manipulation evaluations, despite the inherent presence of adaptive attackers in cybersecurity contexts. To address these challenges, we introduce a novel, cyber-security focused data synthesis (DS) framework that augments malicious LOTL samples by combining threat intelligence with legitimate baselines from enterprise networks. We evaluate our framework in a large-scale production environment, focusing on the detection of Linux LOTL reverse shells. The resulting dataset and models—collectively referred to as QuasarNix —enable ML detectors that detect roughly 60% of malicious reverse shells at an industry-grade FPR = 10 − 6 , whereas non-augmented baselines remain effectively blind at this operating point. We demonstrate that unprotected ML models remain vulnerable to black-box evasion attacks. To counteract these risks, we incorporate adversarial training into our DS framework, enhancing the robustness of our LOTL detection models. Through an explainability analysis, we confirm that QuasarNix provide detection engineers with evidence-based attribution, aligning with cybersecurity domain expertise. To foster reproducibility, we publicly release our framework implementation, synthesized dataset, and pre-trained models.