[Rule Tuning] Potential Shell via Web Server (#2585)
* tuned web shell logic, and converted to EQL * Removed old, created new rule to bypass "type" bug * Revert "Removed old, created new rule to bypass "type" bug" This reverts commit e994b62ecb838f73fa56d145e529169ebd2f5133. * Revert "tuned web shell logic, and converted to EQL" This reverts commit 28bda94b846cbb4ae1a084e707db2b6df458a7ca. * Deprecated old rule, added new * formatting fix * removed endgame index * Fixed changes captured as edited, not created * Update rules/linux/persistence_shell_activity_through_web_server.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * fix conflict * added host.os.type==linux for unit testing * removed wildcards in process.args * Update rules/linux/persistence_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * fixed conflict by changing file name and changes * Trying to resolve the GH conflict * attempt to fix GH conflict #2 * Update persistence_shell_activity_by_web_server.toml * Added endgame support * Added OSQuery to investigation guide * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * removed investigation guide to add in future PR --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
+3
-2
@@ -1,10 +1,11 @@
|
||||
[metadata]
|
||||
creation_date = "2020/02/18"
|
||||
deprecation_date = "2023/03/04"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
maturity = "deprecated"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/02/22"
|
||||
updated_date = "2023/03/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -0,0 +1,80 @@
|
||||
[metadata]
|
||||
creation_date = "2023/03/04"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/04/03"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access."
|
||||
false_positives = [
|
||||
"""
|
||||
Network monitoring or management products may have a web server component that runs shell commands as part of normal
|
||||
behavior.
|
||||
""",
|
||||
]
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*", "endgame-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential Remote Code Execution via Web Server"
|
||||
references = [
|
||||
"https://pentestlab.blog/tag/web-shell/",
|
||||
"https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965",
|
||||
]
|
||||
risk_score = 73
|
||||
rule_id = "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb"
|
||||
severity = "high"
|
||||
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Initial Access", "Elastic Endgame"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where host.os.type == "linux" and event.type == "start" and
|
||||
event.action in ("exec", "exec_event") and process.parent.executable : (
|
||||
"/usr/sbin/nginx", "/usr/local/sbin/nginx",
|
||||
"/usr/sbin/apache", "/usr/local/sbin/apache",
|
||||
"/usr/sbin/apache2", "/usr/local/sbin/apache2",
|
||||
"/usr/sbin/php*", "/usr/local/sbin/php*",
|
||||
"/usr/sbin/lighttpd", "/usr/local/sbin/lighttpd",
|
||||
"/usr/sbin/hiawatha", "/usr/local/sbin/hiawatha",
|
||||
"/usr/local/bin/caddy",
|
||||
"/usr/local/lsws/bin/lswsctrl",
|
||||
"*/bin/catalina.sh"
|
||||
) and
|
||||
process.name : ("*sh", "python*", "perl", "php*", "tmux") and
|
||||
process.args : ("whoami", "id", "uname", "cat", "hostname", "ip", "curl", "wget", "pwd")
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1505"
|
||||
name = "Server Software Component"
|
||||
reference = "https://attack.mitre.org/techniques/T1505/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1505.003"
|
||||
name = "Web Shell"
|
||||
reference = "https://attack.mitre.org/techniques/T1505/003/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1190"
|
||||
name = "Exploit Public-Facing Application"
|
||||
reference = "https://attack.mitre.org/techniques/T1190/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0001"
|
||||
name = "Initial Access"
|
||||
reference = "https://attack.mitre.org/tactics/TA0001/"
|
||||
Reference in New Issue
Block a user