rules/linux/command_and_control_linux_kworker_netcon.toml

[metadata]
creation_date = "2023/10/18"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
min_stack_version = "8.6.0"
updated_date = "2023/10/18"

[rule]
author = ["Elastic"]
description = """
This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the
kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel 
space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. 
Attackers may attempt to evade detection by masquerading as a kernel worker process.
"""
from = "now-60m"
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Network Activity Detected via Kworker"
risk_score = 21
rule_id = "25d917c4-aa3c-4111-974c-286c0312ff95"
severity = "low"
tags = [
        "Domain: Endpoint",
        "OS: Linux",
        "Use Case: Threat Detection",
        "Tactic: Command and Control",
        "Data Source: Elastic Defend"
        ]
timestamp_override = "event.ingested"
type = "new_terms"

query = '''
host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and 
process.name:kworker*
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

  [rule.threat.tactic]
  id = "TA0011"
  name = "Command and Control"
  reference = "https://attack.mitre.org/tactics/TA0011/"

[[rule.threat]]
framework = "MITRE ATT&CK"

  [rule.threat.tactic]
  id = "TA0005"
  name = "Defense Evasion"
  reference = "https://attack.mitre.org/tactics/TA0005/"

  [[rule.threat.technique]]
  name = "Masquerading"
  id = "T1036"
  reference = "https://attack.mitre.org/techniques/T1036/"

  [[rule.threat.technique]]
  name = "Rootkit"
  id = "T1014"
  reference = "https://attack.mitre.org/techniques/T1014/"

[[rule.threat]]
framework = "MITRE ATT&CK"

  [rule.threat.tactic]
  id = "TA0010"
  name = "Exfiltration"
  reference = "https://attack.mitre.org/tactics/TA0010/"

  [[rule.threat.technique]]
  name = "Exfiltration Over C2 Channel"
  id = "T1041"
  reference = "https://attack.mitre.org/techniques/T1041/"

[rule.new_terms]
field = "new_terms_fields"
value = ["destination.ip", "process.name", "host.id"]

[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"
[New Rule] Network Activity Detected via kworker (#3202 ) 2023-10-25 15:24:55 +02:00			`[metadata]`
			`creation_date = "2023/10/18"`
			`integration = ["endpoint"]`
			`maturity = "production"`
			`min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"`
			`min_stack_version = "8.6.0"`
			`updated_date = "2023/10/18"`

			`[rule]`
			`author = ["Elastic"]`
			`description = """`
			`This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the`
			`kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel`
			`space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks.`
			`Attackers may attempt to evade detection by masquerading as a kernel worker process.`
			`"""`
			`from = "now-60m"`
			`index = ["logs-endpoint.events.*"]`
			`language = "kuery"`
			`license = "Elastic License v2"`
			`name = "Network Activity Detected via Kworker"`
			`risk_score = 21`
			`rule_id = "25d917c4-aa3c-4111-974c-286c0312ff95"`
			`severity = "low"`
			`tags = [`
			`"Domain: Endpoint",`
			`"OS: Linux",`
			`"Use Case: Threat Detection",`
			`"Tactic: Command and Control",`
			`"Data Source: Elastic Defend"`
			`]`
			`timestamp_override = "event.ingested"`
			`type = "new_terms"`

			`query = '''`
			`host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and`
			`process.name:kworker*`
			`'''`

			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`

			`[rule.threat.tactic]`
			`id = "TA0011"`
			`name = "Command and Control"`
			`reference = "https://attack.mitre.org/tactics/TA0011/"`

			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`

			`[rule.threat.tactic]`
			`id = "TA0005"`
			`name = "Defense Evasion"`
			`reference = "https://attack.mitre.org/tactics/TA0005/"`

			`[[rule.threat.technique]]`
			`name = "Masquerading"`
			`id = "T1036"`
			`reference = "https://attack.mitre.org/techniques/T1036/"`

			`[[rule.threat.technique]]`
			`name = "Rootkit"`
			`id = "T1014"`
			`reference = "https://attack.mitre.org/techniques/T1014/"`

			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`

			`[rule.threat.tactic]`
			`id = "TA0010"`
			`name = "Exfiltration"`
			`reference = "https://attack.mitre.org/tactics/TA0010/"`

			`[[rule.threat.technique]]`
			`name = "Exfiltration Over C2 Channel"`
			`id = "T1041"`
			`reference = "https://attack.mitre.org/techniques/T1041/"`

			`[rule.new_terms]`
			`field = "new_terms_fields"`
			`value = ["destination.ip", "process.name", "host.id"]`

			`[[rule.new_terms.history_window_start]]`
			`field = "history_window_start"`
			`value = "now-14d"`