rules/linux/persistence_linux_shell_activity_via_web_server.toml

[metadata]
creation_date = "2023/03/04"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/04/03"

[rule]
author = ["Elastic"]
description = "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access."
false_positives = [
    """
    Network monitoring or management products may have a web server component that runs shell commands as part of normal
    behavior.
    """,
]
from = "now-9m"
index = ["logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Remote Code Execution via Web Server"
references = [
    "https://pentestlab.blog/tag/web-shell/",
    "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965",
]
risk_score = 73
rule_id = "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb"
severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability"]
timestamp_override = "event.ingested"
type = "eql"

query = '''
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event") and process.parent.executable : (
  "/usr/sbin/nginx", "/usr/local/sbin/nginx",
  "/usr/sbin/apache", "/usr/local/sbin/apache",
  "/usr/sbin/apache2", "/usr/local/sbin/apache2",
  "/usr/sbin/php*", "/usr/local/sbin/php*",
  "/usr/sbin/lighttpd", "/usr/local/sbin/lighttpd",
  "/usr/sbin/hiawatha", "/usr/local/sbin/hiawatha",
  "/usr/local/bin/caddy", 
  "/usr/local/lsws/bin/lswsctrl",
  "*/bin/catalina.sh"
) and
process.name : ("*sh", "python*", "perl", "php*", "tmux") and
process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd")
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1505"
name = "Server Software Component"
reference = "https://attack.mitre.org/techniques/T1505/"
[[rule.threat.technique.subtechnique]]
id = "T1505.003"
name = "Web Shell"
reference = "https://attack.mitre.org/techniques/T1505/003/"


[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1190"
name = "Exploit Public-Facing Application"
reference = "https://attack.mitre.org/techniques/T1190/"


[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[Rule Tuning] Potential Shell via Web Server (#2585 ) 2023-05-05 09:47:49 +02:00			`[metadata]`
			`creation_date = "2023/03/04"`
			`integration = ["endpoint"]`
			`maturity = "production"`
			`min_stack_comments = "New fields added: required_fields, related_integrations, setup"`
			`min_stack_version = "8.3.0"`
			`updated_date = "2023/04/03"`

			`[rule]`
			`author = ["Elastic"]`
			`description = "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access."`
			`false_positives = [`
			`"""`
			`Network monitoring or management products may have a web server component that runs shell commands as part of normal`
			`behavior.`
			`""",`
			`]`
			`from = "now-9m"`
			`index = ["logs-endpoint.events.", "endgame-"]`
			`language = "eql"`
			`license = "Elastic License v2"`
			`name = "Potential Remote Code Execution via Web Server"`
			`references = [`
			`"https://pentestlab.blog/tag/web-shell/",`
			`"https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965",`
			`]`
			`risk_score = 73`
			`rule_id = "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb"`
			`severity = "high"`
[Security Content] Tags Reform (#2725 ) 2023-06-22 18:38:56 -03:00			`tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability"]`
[Rule Tuning] Potential Shell via Web Server (#2585 ) 2023-05-05 09:47:49 +02:00			`timestamp_override = "event.ingested"`
			`type = "eql"`

			`query = '''`
			`process where host.os.type == "linux" and event.type == "start" and`
			`event.action in ("exec", "exec_event") and process.parent.executable : (`
			`"/usr/sbin/nginx", "/usr/local/sbin/nginx",`
			`"/usr/sbin/apache", "/usr/local/sbin/apache",`
			`"/usr/sbin/apache2", "/usr/local/sbin/apache2",`
			`"/usr/sbin/php", "/usr/local/sbin/php",`
			`"/usr/sbin/lighttpd", "/usr/local/sbin/lighttpd",`
			`"/usr/sbin/hiawatha", "/usr/local/sbin/hiawatha",`
			`"/usr/local/bin/caddy",`
			`"/usr/local/lsws/bin/lswsctrl",`
			`"*/bin/catalina.sh"`
			`) and`
			`process.name : ("sh", "python", "perl", "php*", "tmux") and`
			`process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd")`
			`'''`


			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1505"`
			`name = "Server Software Component"`
			`reference = "https://attack.mitre.org/techniques/T1505/"`
			`[[rule.threat.technique.subtechnique]]`
			`id = "T1505.003"`
			`name = "Web Shell"`
			`reference = "https://attack.mitre.org/techniques/T1505/003/"`



			`[rule.threat.tactic]`
			`id = "TA0003"`
			`name = "Persistence"`
			`reference = "https://attack.mitre.org/tactics/TA0003/"`
			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1190"`
			`name = "Exploit Public-Facing Application"`
			`reference = "https://attack.mitre.org/techniques/T1190/"`


			`[rule.threat.tactic]`
			`id = "TA0001"`
			`name = "Initial Access"`
			`reference = "https://attack.mitre.org/tactics/TA0001/"`