diff --git a/rules/linux/initial_access_telnet_auth_bypass_envar_auditd.toml b/rules/linux/initial_access_telnet_auth_bypass_envar_auditd.toml index 44cb5ba44..3ebcdec8c 100644 --- a/rules/linux/initial_access_telnet_auth_bypass_envar_auditd.toml +++ b/rules/linux/initial_access_telnet_auth_bypass_envar_auditd.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/26" integration = ["auditd_manager"] maturity = "production" -updated_date = "2026/01/26" +updated_date = "2026/02/24" [rule] author = ["Elastic"] @@ -86,7 +86,7 @@ type = "eql" query = ''' sequence by host.id with maxspan=1s - [process where host.os.type == "linux" and event.type == "start" and event.action in ("process_started", "executed") and process.name == "telnetd"] by process.pid + [process where host.os.type == "linux" and event.type == "start" and event.action in ("process_started", "executed") and process.name in ("telnetd", "xinetd")] by process.pid [process where host.os.type == "linux" and event.type == "start" and event.action in ("process_started", "executed") and process.name == "login" and process.args : "-*f*"] by process.parent.pid ''' diff --git a/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml b/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml index 77b7e75ee..159ac1545 100644 --- a/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml +++ b/rules/linux/initial_access_telnet_auth_bypass_via_user_envar.toml @@ -2,7 +2,7 @@ creation_date = "2026/01/24" integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"] maturity = "production" -updated_date = "2026/01/24" +updated_date = "2026/02/24" [rule] author = ["Elastic"] @@ -95,7 +95,7 @@ type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed") and - process.name == "login" and process.parent.name == "telnetd" and process.args : "-*f*" + process.name == "login" and process.parent.name in ("telnetd", "xinetd") and process.args : "-*f*" '''