[New Rule] Network Activity Detected via kworker (#3202)

* [New Rule] Potential curl CVE-2023-38545 Exploitation * Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation" This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0. * [New Rule] Network Activity Detected via kworker * White space * Update rules/linux/command_and_control_linux_kworker_netcon.toml * Update rules/linux/command_and_control_linux_kworker_netcon.toml * Update rules/linux/command_and_control_linux_kworker_netcon.toml * Update command_and_control_linux_kworker_netcon.toml * Update rules/linux/command_and_control_linux_kworker_netcon.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/command_and_control_linux_kworker_netcon.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update command_and_control_linux_kworker_netcon.toml --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2023-10-25 15:24:55 +02:00
parent ab6f28a380
commit 1ac3775743
1 changed files with 86 additions and 0 deletions
@@ -0,0 +1,86 @@
+[metadata]
+creation_date = "2023/10/18"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
+min_stack_version = "8.6.0"
+updated_date = "2023/10/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the
+kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel 
+space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. 
+Attackers may attempt to evade detection by masquerading as a kernel worker process.
+"""
+from = "now-60m"
+index = ["logs-endpoint.events.*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Network Activity Detected via Kworker"
+risk_score = 21
+rule_id = "25d917c4-aa3c-4111-974c-286c0312ff95"
+severity = "low"
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Command and Control",
+        "Data Source: Elastic Defend"
+        ]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and 
+process.name:kworker*
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+  [rule.threat.tactic]
+  id = "TA0011"
+  name = "Command and Control"
+  reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+  [rule.threat.tactic]
+  id = "TA0005"
+  name = "Defense Evasion"
+  reference = "https://attack.mitre.org/tactics/TA0005/"
+
+  [[rule.threat.technique]]
+  name = "Masquerading"
+  id = "T1036"
+  reference = "https://attack.mitre.org/techniques/T1036/"
+
+  [[rule.threat.technique]]
+  name = "Rootkit"
+  id = "T1014"
+  reference = "https://attack.mitre.org/techniques/T1014/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+  [rule.threat.tactic]
+  id = "TA0010"
+  name = "Exfiltration"
+  reference = "https://attack.mitre.org/tactics/TA0010/"
+
+  [[rule.threat.technique]]
+  name = "Exfiltration Over C2 Channel"
+  id = "T1041"
+  reference = "https://attack.mitre.org/techniques/T1041/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["destination.ip", "process.name", "host.id"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"
+