From 32abdb95f7fd007ef5b4de5b26528cc4499e2a6a Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Wed, 30 Aug 2023 22:12:19 +0200
Subject: [PATCH] [New Rules] Linux Tunneling and Port Forwarding (#3028)

* Removed iodine rule due to new tunneling rule

* [New Rules] Linux Tunneling and Port Forwarding

* added ash

* Fixed description styling

* Changed rule name

* Update command_and_control_linux_suspicious_proxychains_activity.toml

* Added deprecation note & name change

* Changed deprecation status

* Removed deprecation date

* Fixed unit testing

* Update rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
---
 ..._control_linux_chisel_client_activity.toml | 55 +++++++++++++++++
 ..._control_linux_chisel_server_activity.toml | 55 +++++++++++++++++
 ...and_and_control_linux_iodine_activity.toml | 18 +++---
 ...linux_suspicious_proxychains_activity.toml | 48 +++++++++++++++
 ...l_linux_tunneling_and_port_forwarding.toml | 59 +++++++++++++++++++
 ...nd_control_linux_proxychains_activity.toml | 46 +++++++++++++++
 ..._and_control_linux_ssh_x11_forwarding.toml | 48 +++++++++++++++
 7 files changed, 322 insertions(+), 7 deletions(-)
 create mode 100644 rules/linux/command_and_control_linux_chisel_client_activity.toml
 create mode 100644 rules/linux/command_and_control_linux_chisel_server_activity.toml
 create mode 100644 rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml
 create mode 100644 rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml
 create mode 100644 rules_building_block/command_and_control_linux_proxychains_activity.toml
 create mode 100644 rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml

diff --git a/rules/linux/command_and_control_linux_chisel_client_activity.toml b/rules/linux/command_and_control_linux_chisel_client_activity.toml
new file mode 100644
index 000000000..d1738432e
--- /dev/null
+++ b/rules/linux/command_and_control_linux_chisel_client_activity.toml
@@ -0,0 +1,55 @@
+[metadata]
+creation_date = "2023/08/23"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt.
+Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure
+communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass
+network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal
+systems.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Protocol Tunneling via Chisel Client"
+references = [
+    "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform",
+    "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"
+    ]
+risk_score = 47
+rule_id = "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd"
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"]
+type = "eql"
+query = '''
+sequence by host.id, process.entity_id with maxspan=1s
+  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+   process.args == "client" and process.args : ("R*", "*:*", "*socks*", "*.*") and process.args_count >= 4 and 
+   process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")]
+  [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and 
+   destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and 
+   not process.name : (
+     "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet",
+     "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd")]
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1572"
+name = "Protocol Tunneling"
+reference = "https://attack.mitre.org/techniques/T1572/"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
diff --git a/rules/linux/command_and_control_linux_chisel_server_activity.toml b/rules/linux/command_and_control_linux_chisel_server_activity.toml
new file mode 100644
index 000000000..4d75f2134
--- /dev/null
+++ b/rules/linux/command_and_control_linux_chisel_server_activity.toml
@@ -0,0 +1,55 @@
+[metadata]
+creation_date = "2023/08/23"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection
+within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels,
+enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish
+covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that
+allow unauthorized access to internal systems.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Protocol Tunneling via Chisel Server"
+references = [
+    "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform",
+    "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"
+    ]
+risk_score = 47
+rule_id = "ac8805f6-1e08-406c-962e-3937057fa86f"
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"]
+type = "eql"
+query = '''
+sequence by host.id, process.entity_id with maxspan=1m
+  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+   process.args == "server" and process.args in ("--port", "-p", "--reverse", "--backend", "--socks5") and 
+   process.args_count >= 3 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")]
+  [network where host.os.type == "linux" and event.action == "connection_accepted" and event.type == "start" and 
+   destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and 
+   not process.name : (
+     "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet",
+     "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd", "hugo")]
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1572"
+name = "Protocol Tunneling"
+reference = "https://attack.mitre.org/techniques/T1572/"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
diff --git a/rules/linux/command_and_control_linux_iodine_activity.toml b/rules/linux/command_and_control_linux_iodine_activity.toml
index e41e88c53..14370203f 100644
--- a/rules/linux/command_and_control_linux_iodine_activity.toml
+++ b/rules/linux/command_and_control_linux_iodine_activity.toml
@@ -4,7 +4,7 @@ integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/08/25"
 
 [rule]
 author = ["Elastic"]
@@ -22,30 +22,34 @@ from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Potential DNS Tunneling via Iodine"
+name = "Deprecated - Potential DNS Tunneling via Iodine"
+note = """This rule was deprecated due to its addition to the umbrella `Potential Linux Tunneling and/or Port Forwarding` (6ee947e9-de7e-4281-a55d-09289bdf947e) rule."""
 references = ["https://code.kryo.se/iodine/"]
 risk_score = 73
 rule_id = "041d4d41-9589-43e2-ba13-5680af75ebc2"
 severity = "high"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame"]
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Data Source: Elastic Endgame",
+]
 timestamp_override = "event.ingested"
 type = "query"
-
 query = '''
 event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined)
 '''
 
-
 [[rule.threat]]
 framework = "MITRE ATT&CK"
+
 [[rule.threat.technique]]
 id = "T1572"
 name = "Protocol Tunneling"
 reference = "https://attack.mitre.org/techniques/T1572/"
 
-
 [rule.threat.tactic]
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
-
diff --git a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml
new file mode 100644
index 000000000..5efa70cd1
--- /dev/null
+++ b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml
@@ -0,0 +1,48 @@
+[metadata]
+creation_date = "2023/08/23"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool
+that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to
+restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection,
+and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Suspicious Utility Launched via ProxyChains"
+references = ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"]
+risk_score = 21
+rule_id = "6ace94ba-f02c-4d55-9f53-87d99b6f9af4"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+process.name == "proxychains" and process.args : (
+  "ssh", "sshd", "sshuttle", "socat", "iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng",
+  "ssf", "3proxy", "ngrok", "gost", "pivotnacci", "chisel*", "nmap", "ping", "python*", "php*", "perl", "ruby",
+  "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet", "ftp", "curl", "wget")
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1572"
+name = "Protocol Tunneling"
+reference = "https://attack.mitre.org/techniques/T1572/"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml
new file mode 100644
index 000000000..35bbfce1f
--- /dev/null
+++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml
@@ -0,0 +1,59 @@
+[metadata]
+creation_date = "2023/08/23"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/23"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can 
+leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, 
+and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Linux Tunneling and/or Port Forwarding"
+references = [
+    "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform",
+    "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"
+    ]
+risk_score = 47
+rule_id = "6ee947e9-de7e-4281-a55d-09289bdf947e"
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ((
+// gost & pivotnacci - spawned without process.parent.name
+(process.name == "gost" and process.args : ("-L*", "-C*", "-R*")) or (process.name == "pivotnacci")) or (
+// ssh
+(process.name in ("ssh", "sshd") and (process.args in ("-R", "-L", "D", "-w") and process.args_count >= 4)) or
+// sshuttle
+(process.name == "sshuttle" and process.args in ("-r", "--remote", "-l", "--listen") and process.args_count >= 4) or
+// socat
+(process.name == "socat" and process.args : ("TCP4-LISTEN:*", "SOCKS*") and process.args_count >= 3) or
+// chisel
+(process.name : "chisel*" and process.args in ("client", "server")) or
+// iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok 
+(process.name in ("iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng", "ssf", "3proxy", "ngrok"))
+) and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish"))
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1572"
+name = "Protocol Tunneling"
+reference = "https://attack.mitre.org/techniques/T1572/"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
diff --git a/rules_building_block/command_and_control_linux_proxychains_activity.toml b/rules_building_block/command_and_control_linux_proxychains_activity.toml
new file mode 100644
index 000000000..939784370
--- /dev/null
+++ b/rules_building_block/command_and_control_linux_proxychains_activity.toml
@@ -0,0 +1,46 @@
+[metadata]
+creation_date = "2023/08/23"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/23"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the 
+routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted 
+resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and 
+perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "ProxyChains Activity"
+references = ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"]
+risk_score = 21
+rule_id = "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name == "proxychains"
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1572"
+name = "Protocol Tunneling"
+reference = "https://attack.mitre.org/techniques/T1572/"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
diff --git a/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml b/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml
new file mode 100644
index 000000000..aa4a1f002
--- /dev/null
+++ b/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml
@@ -0,0 +1,48 @@
+[metadata]
+creation_date = "2023/08/23"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/08/23"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+This rule monitors for X11 forwarding via SSH. X11 forwarding is a feature that allows users to run graphical
+applications on a remote server and display the application's graphical user interface on their local machine. Attackers
+can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert 
+communication channels, enabling lateral movement and facilitating remote control of systems within a network.
+"""
+from = "now-119m"
+interval = "60m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Linux SSH X11 Forwarding"
+references = ["https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"]
+risk_score = 21
+rule_id = "29f0cf93-d17c-4b12-b4f3-a433800539fa"
+severity = "low"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Rule Type: BBR"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
+process.name in ("ssh", "sshd") and process.args in ("-X", "-Y") and process.args_count >= 3 and 
+process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1572"
+name = "Protocol Tunneling"
+reference = "https://attack.mitre.org/techniques/T1572/"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"