rules/linux/discovery_suspicious_which_command_execution.toml

[metadata]
creation_date = "2023/08/30"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/03/08"

[rule]
author = ["Elastic"]
description = """
This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage
the which command to enumerate the system for useful installed utilities that may be used after compromising a system to
escalate privileges or move latteraly across the network. 
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious which Enumeration"
risk_score = 21
rule_id = "5b18eef4-842c-4b47-970f-f08d24004bde"
severity = "low"
tags = [
        "Domain: Endpoint",
        "OS: Linux",
        "Use Case: Threat Detection",
        "Tactic: Discovery",
        "Data Source: Elastic Defend",
        "Data Source: Elastic Endgame"
        ]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and 
process.name == "which" and process.args_count >= 10 and not process.parent.name == "jem" and 
not process.args == "--tty-only"

/* potential tuning if rule would turn out to be noisy
and process.args in ("nmap", "nc", "ncat", "netcat", nc.traditional", "gcc", "g++", "socat") and 
process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
*/ 
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"

[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[New BBR] Suspicious which Enumeration (#3059 ) 2023-08-31 13:55:56 +02:00			`[metadata]`
			`creation_date = "2023/08/30"`
			`integration = ["endpoint"]`
			`maturity = "production"`
Revert "Back-porting Version Trimming (#3681 )" 2024-05-22 13:51:46 -05:00			`min_stack_comments = "New fields added: required_fields, related_integrations, setup"`
			`min_stack_version = "8.3.0"`
			`updated_date = "2024/03/08"`
[New BBR] Suspicious which Enumeration (#3059 ) 2023-08-31 13:55:56 +02:00
			`[rule]`
			`author = ["Elastic"]`
			`description = """`
Revert "Back-porting Version Trimming (#3681 )" 2024-05-22 13:51:46 -05:00			`This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage`
			`the which command to enumerate the system for useful installed utilities that may be used after compromising a system to`
			`escalate privileges or move latteraly across the network.`
[New BBR] Suspicious which Enumeration (#3059 ) 2023-08-31 13:55:56 +02:00			`"""`
[BBR Promotion] Linux BBR --> DR Promotion (#3472 ) 2024-03-06 14:49:42 +01:00			`from = "now-9m"`
			`index = ["logs-endpoint.events.", "endgame-"]`
[New BBR] Suspicious which Enumeration (#3059 ) 2023-08-31 13:55:56 +02:00			`language = "eql"`
			`license = "Elastic License v2"`
			`name = "Suspicious which Enumeration"`
			`risk_score = 21`
			`rule_id = "5b18eef4-842c-4b47-970f-f08d24004bde"`
			`severity = "low"`
[Tuning & New Rule] Linux Reverse Shell & DR Tuning (#3254 ) 2023-12-18 09:36:21 +01:00			`tags = [`
Revert "Back-porting Version Trimming (#3681 )" 2024-05-22 13:51:46 -05:00			`"Domain: Endpoint",`
			`"OS: Linux",`
			`"Use Case: Threat Detection",`
			`"Tactic: Discovery",`
			`"Data Source: Elastic Defend",`
			`"Data Source: Elastic Endgame"`
			`]`
[New BBR] Suspicious which Enumeration (#3059 ) 2023-08-31 13:55:56 +02:00			`timestamp_override = "event.ingested"`
			`type = "eql"`
			`query = '''`
[Tuning] event.action and event.type change (#3495 ) 2024-03-13 10:11:21 +01:00			`process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and`
[BBR Promotion] Linux BBR --> DR Promotion (#3472 ) 2024-03-06 14:49:42 +01:00			`process.name == "which" and process.args_count >= 10 and not process.parent.name == "jem" and`
			`not process.args == "--tty-only"`
[New BBR] Suspicious which Enumeration (#3059 ) 2023-08-31 13:55:56 +02:00
			`/* potential tuning if rule would turn out to be noisy`
			`and process.args in ("nmap", "nc", "ncat", "netcat", nc.traditional", "gcc", "g++", "socat") and`
			`process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")`
Revert "Back-porting Version Trimming (#3681 )" 2024-05-22 13:51:46 -05:00			`*/`
[New BBR] Suspicious which Enumeration (#3059 ) 2023-08-31 13:55:56 +02:00			`'''`

			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
Revert "Back-porting Version Trimming (#3681 )" 2024-05-22 13:51:46 -05:00
[New BBR] Suspicious which Enumeration (#3059 ) 2023-08-31 13:55:56 +02:00			`[[rule.threat.technique]]`
			`id = "T1082"`
			`name = "System Information Discovery"`
			`reference = "https://attack.mitre.org/techniques/T1082/"`

			`[rule.threat.tactic]`
			`id = "TA0007"`
			`name = "Discovery"`
			`reference = "https://attack.mitre.org/tactics/TA0007/"`