From 1ac37757436583776242159495a336584df7ffcc Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Wed, 25 Oct 2023 15:24:55 +0200 Subject: [PATCH] [New Rule] Network Activity Detected via kworker (#3202) * [New Rule] Potential curl CVE-2023-38545 Exploitation * Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation" This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0. * [New Rule] Network Activity Detected via kworker * White space * Update rules/linux/command_and_control_linux_kworker_netcon.toml * Update rules/linux/command_and_control_linux_kworker_netcon.toml * Update rules/linux/command_and_control_linux_kworker_netcon.toml * Update command_and_control_linux_kworker_netcon.toml * Update rules/linux/command_and_control_linux_kworker_netcon.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/command_and_control_linux_kworker_netcon.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update command_and_control_linux_kworker_netcon.toml --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- ...mand_and_control_linux_kworker_netcon.toml | 86 +++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 rules/linux/command_and_control_linux_kworker_netcon.toml diff --git a/rules/linux/command_and_control_linux_kworker_netcon.toml b/rules/linux/command_and_control_linux_kworker_netcon.toml new file mode 100644 index 000000000..75b821757 --- /dev/null +++ b/rules/linux/command_and_control_linux_kworker_netcon.toml @@ -0,0 +1,86 @@ +[metadata] +creation_date = "2023/10/18" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/10/18" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the +kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel +space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. +Attackers may attempt to evade detection by masquerading as a kernel worker process. +""" +from = "now-60m" +index = ["logs-endpoint.events.*"] +language = "kuery" +license = "Elastic License v2" +name = "Network Activity Detected via Kworker" +risk_score = 21 +rule_id = "25d917c4-aa3c-4111-974c-286c0312ff95" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and +process.name:kworker* +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + id = "TA0011" + name = "Command and Control" + reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + id = "TA0005" + name = "Defense Evasion" + reference = "https://attack.mitre.org/tactics/TA0005/" + + [[rule.threat.technique]] + name = "Masquerading" + id = "T1036" + reference = "https://attack.mitre.org/techniques/T1036/" + + [[rule.threat.technique]] + name = "Rootkit" + id = "T1014" + reference = "https://attack.mitre.org/techniques/T1014/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + id = "TA0010" + name = "Exfiltration" + reference = "https://attack.mitre.org/tactics/TA0010/" + + [[rule.threat.technique]] + name = "Exfiltration Over C2 Channel" + id = "T1041" + reference = "https://attack.mitre.org/techniques/T1041/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["destination.ip", "process.name", "host.id"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-14d" +