security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rules] Linux Tunneling and Port Forwarding (#3028)

Browse Source 
* Removed iodine rule due to new tunneling rule

* [New Rules] Linux Tunneling and Port Forwarding

* added ash

* Fixed description styling

* Changed rule name

* Update command_and_control_linux_suspicious_proxychains_activity.toml

* Added deprecation note & name change

* Changed deprecation status

* Removed deprecation date

* Fixed unit testing

* Update rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
2023-08-30 22:12:19 +02:00
committed by GitHub
parent 41a7a36817
commit 32abdb95f7
7 changed files with 322 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/command_and_control_linux_chisel_server_activity.toml
+55
View File
@@ -0,0 +1,55 @@
[metadata]
creation_date = "2023/08/23"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/23"
[rule]
author = ["Elastic"]
description = """
This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection
within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels,
enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish
covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that
allow unauthorized access to internal systems.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Protocol Tunneling via Chisel Server"
references = [
"https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform",
"https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"
]
risk_score = 47
rule_id = "ac8805f6-1e08-406c-962e-3937057fa86f"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=1m
[process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
process.args == "server" and process.args in ("--port", "-p", "--reverse", "--backend", "--socks5") and
process.args_count >= 3 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")]
[network where host.os.type == "linux" and event.action == "connection_accepted" and event.type == "start" and
destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and
not process.name : (
"python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet",
"ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd", "hugo")]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"