security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rules] Linux Tunneling and Port Forwarding (#3028)

Browse Source 
* Removed iodine rule due to new tunneling rule

* [New Rules] Linux Tunneling and Port Forwarding

* added ash

* Fixed description styling

* Changed rule name

* Update command_and_control_linux_suspicious_proxychains_activity.toml

* Added deprecation note & name change

* Changed deprecation status

* Removed deprecation date

* Fixed unit testing

* Update rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
2023-08-30 22:12:19 +02:00
committed by GitHub
parent 41a7a36817
commit 32abdb95f7
7 changed files with 322 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/command_and_control_linux_chisel_client_activity.toml
+55
View File
@@ -0,0 +1,55 @@
[metadata]
creation_date = "2023/08/23"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/23"
[rule]
author = ["Elastic"]
description = """
This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt.
Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure
communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass
network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal
systems.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Protocol Tunneling via Chisel Client"
references = [
"https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform",
"https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"
]
risk_score = 47
rule_id = "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=1s
[process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
process.args == "client" and process.args : ("R*", "*:*", "*socks*", "*.*") and process.args_count >= 4 and
process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")]
[network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and
destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and
not process.name : (
"python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet",
"ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd")]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/linux/command_and_control_linux_chisel_server_activity.toml
+55
View File
@@ -0,0 +1,55 @@
[metadata]
creation_date = "2023/08/23"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/23"
[rule]
author = ["Elastic"]
description = """
This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection
within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels,
enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish
covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that
allow unauthorized access to internal systems.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Protocol Tunneling via Chisel Server"
references = [
"https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform",
"https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"
]
risk_score = 47
rule_id = "ac8805f6-1e08-406c-962e-3937057fa86f"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=1m
[process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
process.args == "server" and process.args in ("--port", "-p", "--reverse", "--backend", "--socks5") and
process.args_count >= 3 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")]
[network where host.os.type == "linux" and event.action == "connection_accepted" and event.type == "start" and
destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and
not process.name : (
"python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet",
"ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd", "hugo")]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/linux/command_and_control_linux_iodine_activity.toml
+11 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/25"
[rule]
author = ["Elastic"]
@@ -22,30 +22,34 @@ from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential DNS Tunneling via Iodine"
name = "Deprecated - Potential DNS Tunneling via Iodine"
note = """This rule was deprecated due to its addition to the umbrella `Potential Linux Tunneling and/or Port Forwarding` (6ee947e9-de7e-4281-a55d-09289bdf947e) rule."""
references = ["https://code.kryo.se/iodine/"]
risk_score = 73
rule_id = "041d4d41-9589-43e2-ba13-5680af75ebc2"
severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Endgame",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml
+48
View File
@@ -0,0 +1,48 @@
[metadata]
creation_date = "2023/08/23"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/23"
[rule]
author = ["Elastic"]
description = """
This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool
that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to
restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection,
and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Utility Launched via ProxyChains"
references = ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"]
risk_score = 21
rule_id = "6ace94ba-f02c-4d55-9f53-87d99b6f9af4"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
process.name == "proxychains" and process.args : (
"ssh", "sshd", "sshuttle", "socat", "iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng",
"ssf", "3proxy", "ngrok", "gost", "pivotnacci", "chisel*", "nmap", "ping", "python*", "php*", "perl", "ruby",
"lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet", "ftp", "curl", "wget")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml
+59
View File
@@ -0,0 +1,59 @@
[metadata]
creation_date = "2023/08/23"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/23"
[rule]
author = ["Elastic"]
description = """
This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can
leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels,
and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Linux Tunneling and/or Port Forwarding"
references = [
"https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform",
"https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"
]
risk_score = 47
rule_id = "6ee947e9-de7e-4281-a55d-09289bdf947e"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ((
// gost & pivotnacci - spawned without process.parent.name
(process.name == "gost" and process.args : ("-L*", "-C*", "-R*")) or (process.name == "pivotnacci")) or (
// ssh
(process.name in ("ssh", "sshd") and (process.args in ("-R", "-L", "D", "-w") and process.args_count >= 4)) or
// sshuttle
(process.name == "sshuttle" and process.args in ("-r", "--remote", "-l", "--listen") and process.args_count >= 4) or
// socat
(process.name == "socat" and process.args : ("TCP4-LISTEN:*", "SOCKS*") and process.args_count >= 3) or
// chisel
(process.name : "chisel*" and process.args in ("client", "server")) or
// iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok
(process.name in ("iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng", "ssf", "3proxy", "ngrok"))
) and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish"))
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules_building_block/command_and_control_linux_proxychains_activity.toml
+46
View File
@@ -0,0 +1,46 @@
[metadata]
creation_date = "2023/08/23"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/23"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the
routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted
resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and
perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "ProxyChains Activity"
references = ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"]
risk_score = 21
rule_id = "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Rule Type: BBR"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "proxychains"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml
+48
View File
@@ -0,0 +1,48 @@
[metadata]
creation_date = "2023/08/23"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/23"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
This rule monitors for X11 forwarding via SSH. X11 forwarding is a feature that allows users to run graphical
applications on a remote server and display the application's graphical user interface on their local machine. Attackers
can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert
communication channels, enabling lateral movement and facilitating remote control of systems within a network.
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Linux SSH X11 Forwarding"
references = ["https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"]
risk_score = 21
rule_id = "29f0cf93-d17c-4b12-b4f3-a433800539fa"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Rule Type: BBR"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
process.name in ("ssh", "sshd") and process.args in ("-X", "-Y") and process.args_count >= 3 and
process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"