security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Linux DR Tuning - 2 (#5481)

Browse Source 
* [Rule Tuning] Linux DR Tuning - 2

* Update command_and_control_linux_proxychains_activity.toml
This commit is contained in:
Ruben Groenewoud
2026-01-06 17:00:55 +01:00
committed by GitHub
parent 019c263ed2
commit 066096f766
9 changed files with 70 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/command_and_control_ip_forwarding_activity.toml
+10 -6
View File
@@ -2,7 +2,7 @@
creation_date = "2024/11/04"
integration = ["endpoint", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/10/17"
updated_date = "2025/12/17"
[rule]
author = ["Elastic"]
@@ -67,7 +67,6 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "exec_event", "ProcessRollup2") and
?process.parent.executable != null and process.command_line like (
@@ -80,20 +79,25 @@ process where host.os.type == "linux" and event.type == "start" and event.action
process.command_line like "*echo *"
)
) and
not process.parent.name like~ ("privsep-helper", "platform-python*", "init.ipv6-global", "wsl-bootstrap")
not (
process.parent.name like~ ("privsep-helper", "platform-python*", "init.ipv6-global", "wsl-bootstrap") or
?process.parent.executable == "/usr/sbin/sshd" or
?process.parent.args in (
"/usr/lib/pritunl/usr/bin/pritunl", "/usr/bin/dockerd-rootless.sh", "/etc/rc.d/init.d/network", "/etc/rc0.d/K90network"
) or
?process.parent.args like "/etc/untangle/post-network-hook.d/*"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/linux/command_and_control_linux_chisel_client_activity.toml
+5 -5
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/23"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/02/04"
updated_date = "2025/12/17"
[transform]
[[transform.osquery]]
@@ -29,7 +29,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Process Info"
query = "SELECT name, cmdline, parent, path, uid FROM processes"
[rule]
author = ["Elastic"]
description = """
@@ -146,18 +145,19 @@ tags = [
"Resources: Investigation Guide",
]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=3s
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.args == "client" and process.args : ("R*", "*:*", "*socks*", "*.*") and process.args_count >= 4 and
process.args == "client" and process.args : ("R*", "*:*", "*socks*") and process.args_count >= 4 and
process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
not process.name in ("velociraptor", "nbemmcmd", "redis-cli", "ipa")]
[network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and
destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and
not process.name : (
"python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet",
"ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd")]
"ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd", "kubectl*",
"clickhouse"
)]
'''
[[rule.threat]]
rules/linux/command_and_control_linux_chisel_server_activity.toml
+4 -8
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/23"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/02/04"
updated_date = "2025/12/17"
[transform]
[[transform.osquery]]
@@ -29,7 +29,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Process Info"
query = "SELECT name, cmdline, parent, path, uid FROM processes"
[rule]
author = ["Elastic"]
description = """
@@ -43,10 +42,10 @@ from = "now-9m"
index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Protocol Tunneling via Chisel Server"
name = "Deprecated - Potential Protocol Tunneling via Chisel Server"
note = """## Triage and analysis
### Investigating Potential Protocol Tunneling via Chisel Server
### Investigating Deprecated - Potential Protocol Tunneling via Chisel Server
Attackers can leverage `chisel` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.
@@ -146,7 +145,6 @@ tags = [
"Resources: Investigation Guide",
]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=1m
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
@@ -159,17 +157,15 @@ sequence by host.id, process.entity_id with maxspan=1m
"ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd", "hugo")]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/linux/command_and_control_linux_proxychains_activity.toml
+7 -10
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/23"
integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/12/17"
[transform]
[[transform.osquery]]
@@ -29,7 +29,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Process Info"
query = "SELECT name, cmdline, parent, path, uid FROM processes"
[rule]
author = ["Elastic"]
description = """
@@ -114,9 +113,9 @@ This rule looks for processes spawned through `proxychains` by analyzing `proxyc
- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
references = ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"]
risk_score = 21
risk_score = 47
rule_id = "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37"
severity = "low"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
@@ -131,23 +130,21 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started")
and process.name == "proxychains"
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
process.name == "proxychains"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml
+7 -10
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/23"
integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/12/17"
[transform]
[[transform.osquery]]
@@ -29,7 +29,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Process Info"
query = "SELECT name, cmdline, parent, path, uid FROM processes"
[rule]
author = ["Elastic"]
description = """
@@ -115,7 +114,7 @@ This rule looks for a list of suspicious processes spawned through `proxychains`
- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""
references = ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"]
risk_score = 21
risk_score = 47
rule_id = "6ace94ba-f02c-4d55-9f53-87d99b6f9af4"
setup = """## Setup
@@ -142,7 +141,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
@@ -157,27 +156,25 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started")
and process.name == "proxychains" and process.args : (
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
process.name == "proxychains" and process.args : (
"ssh", "sshd", "sshuttle", "socat", "iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng",
"ssf", "3proxy", "ngrok", "gost", "pivotnacci", "chisel*", "nmap", "ping", "python*", "php*", "perl", "ruby",
"lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet", "ftp", "curl", "wget"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml
+3 -7
View File
@@ -2,7 +2,7 @@
creation_date = "2023/08/23"
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"]
maturity = "production"
updated_date = "2025/12/12"
updated_date = "2025/12/17"
[transform]
[[transform.osquery]]
@@ -29,7 +29,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Process Info"
query = "SELECT name, cmdline, parent, path, uid FROM processes"
[rule]
author = ["Elastic"]
description = """
@@ -160,7 +159,6 @@ tags = [
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and (
(
@@ -168,7 +166,7 @@ process where host.os.type == "linux" and event.type == "start" and event.action
(process.name == "gost" and process.args : ("-L*", "-C*", "-R*")) or (process.name == "pivotnacci")) or (
// ssh
(process.name == "ssh" and (process.args in ("-R", "-L", "-D", "-w") and process.args_count >= 4 and
not process.args : "chmod")) or
not (process.args == "chmod" or process.command_line like "*rungencmd*"))) or
// sshuttle
(process.name == "sshuttle" and process.args in ("-r", "--remote", "-l", "--listen") and process.args_count >= 4) or
// socat
@@ -181,17 +179,15 @@ process where host.os.type == "linux" and event.type == "start" and event.action
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/linux/command_and_control_linux_tunneling_via_ssh_option.toml
+7 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2025/04/25"
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2025/07/07"
updated_date = "2025/12/17"
[rule]
author = ["Elastic"]
@@ -107,9 +107,14 @@ process.name in ("ssh", "sshd") and process.args == "-o" and
process.command_line like~ (
"*ProxyCommand*", "*LocalForward*", "*RemoteForward*", "*DynamicForward*", "*Tunnel*", "*GatewayPorts*",
"*ExitOnForwardFailure*", "*ProxyCommand*", "*ProxyJump*"
) and
not (
?process.parent.args == "/usr/bin/pvedaemon" or
?process.parent.command_line in ("pvedaemon", "pve-ha-lrm") or
?process.working_directory like "*ansible*" or
process.command_line like "*ansible*"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
rules/linux/command_and_control_telegram_api_request.toml
+18 -7
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2025/04/29"
integration = ["endpoint", "crowdstrike"]
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"]
maturity = "production"
updated_date = "2025/10/17"
updated_date = "2025/12/17"
[rule]
author = ["Elastic"]
@@ -11,7 +11,14 @@ This rule detects when a process executes the curl or wget command with an argum
api.telegram.org domain. This may indicate command and control behavior.
"""
from = "now-9m"
index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"]
index = [
"endgame-*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process*",
"logs-sentinel_one_cloud_funnel.*",
"auditbeat-*",
"logs-auditd_manager.auditd-*",
]
language = "eql"
license = "Elastic License v2"
name = "Linux Telegram API Request"
@@ -49,7 +56,7 @@ Telegram's API allows applications to interact with its messaging platform, ofte
- Update and patch the affected system to the latest security standards to mitigate vulnerabilities that could be exploited in similar attacks.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
"""
risk_score = 21
risk_score = 47
rule_id = "af1e36fe-0abd-4463-b5ec-4e276dec0b26"
setup = """## Setup
@@ -89,20 +96,24 @@ In order to capture this behavior, this rule requires a specific configuration o
After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.
For more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html).
"""
severity = "low"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend",
"Resources: Investigation Guide",
"Data Source: Elastic Endgame",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
"Data Source: Auditd Manager",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "start", "exec_event", "ProcessRollup2", "executed", "exec_event", "process_started") and
process.name in ("curl", "wget") and process.command_line like "*api.telegram.org*"
'''
rules/linux/command_and_control_tunneling_via_earthworm.toml
+9 -10
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2021/04/12"
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel", "auditd_manager"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/12/17"
[transform]
[[transform.osquery]]
@@ -29,7 +29,6 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
label = "Osquery - Retrieve Process Info"
query = "SELECT name, cmdline, parent, path, uid FROM processes"
[rule]
author = ["Elastic"]
description = """
@@ -41,6 +40,7 @@ from = "now-9m"
index = [
"auditbeat-*",
"endgame-*",
"logs-auditd_manager.auditd-*",
"logs-crowdstrike.fdr*",
"logs-endpoint.events.process*",
"logs-sentinel_one_cloud_funnel.*",
@@ -113,7 +113,7 @@ references = [
"http://rootkiter.com/EarthWorm/",
"https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/",
]
risk_score = 47
risk_score = 73
rule_id = "9f1c4ca3-44b5-481d-ba42-32dc215a2769"
setup = """## Setup
@@ -153,7 +153,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
#### Custom Ingest Pipeline
For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).
"""
severity = "medium"
severity = "high"
tags = [
"Domain: Endpoint",
"OS: Linux",
@@ -163,27 +163,26 @@ tags = [
"Data Source: Elastic Defend",
"Data Source: Crowdstrike",
"Data Source: SentinelOne",
"Data Source: Auditd Manager",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and
process.args : "-s" and process.args : "-d" and process.args : "rssocks"
event.action in ("exec", "start", "exec_event", "ProcessRollup2", "executed", "exec_event", "process_started") and
process.args : "-s" and process.args : "-d" and process.args : "rssocks"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"