From 4c996490ecb7557bc8f9c8dc5f1ca71922171e36 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Tue, 16 May 2023 15:08:20 -0400 Subject: [PATCH] [New Rule] Netcat Listener Established Inside A Container (#2756) * [New Rule] Netcat Listener Established Inside A Container new rule toml * remove references Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * remove false_positives Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * adjust from field from s to m for readability Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Mika Ayenson * Update execution_netcat_listener_established_inside_a_container.toml updated query, updated risk score, expanded explanation for 2nd part of the query where process args is used to search for target executables * optimized query optimized query to deduplicate fields based on review feedback * Update execution_netcat_listener_established_inside_a_container.toml updated query comment * Update execution_netcat_listener_established_inside_a_container.toml added false positive section * Update execution_netcat_listener_established_inside_a_container.toml adjusted tags * removed the != end query parameter removed the exclusion of end events for this to account for short-lived netcat listener processes --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Co-authored-by: Mika Ayenson --- ...stener_established_inside_a_container.toml | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml diff --git a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml new file mode 100644 index 000000000..822a6c360 --- /dev/null +++ b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml @@ -0,0 +1,59 @@ +[metadata] +creation_date = "2023/04/26" +integration = ["cloud_defend"] +maturity = "production" +min_stack_comments = "New Integration: Cloud Defend" +min_stack_version = "8.8.0" +updated_date = "2023/05/16" + +[rule] +author = ["Elastic"] +description = "This rule detects an established netcat listener running inside a container. Netcat is a utility used for reading and writing data across network connections, and it can be used for malicious purposes such as establishing a backdoor for persistence or exfiltrating data." +false_positives = [""" + There is a potential for false positives if the container is used for legitimate tasks that require the use of netcat, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity. + """] +from = "now-6m" +index = ["logs-cloud_defend*"] +interval = "5m" +language = "eql" +license = "Elastic License v2" +name = "Netcat Listener Established Inside A Container" +risk_score = 73 +rule_id = "a52a9439-d52c-401c-be37-2785235c6547" +severity = "high" +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Container"] +timestamp_override = "event.ingested" +type = "eql" + +query = """ +process where container.id: "*" and event.type== "start" +and event.action in ("fork", "exec") and +( +process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") or +/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ +process.args: ("nc","ncat","netcat","netcat.openbsd","netcat.traditional") +) and ( + /* bind shell to echo for command execution */ + (process.args:("-*l*", "--listen", "-*p*", "--source-port") and process.args:("-c", "--sh-exec", "-e", "--exec", "echo","$*")) + /* bind shell to specific port */ + or process.args:("-*l*", "--listen", "-*p*", "--source-port") + ) +""" + +[[rule.threat]] +framework = "MITRE ATT&CK" + + [rule.threat.tactic] + id = "TA0002" + reference = "https://attack.mitre.org/tactics/TA0002/" + name = "Execution" + + [[rule.threat.technique]] + id = "T1059" + reference = "https://attack.mitre.org/techniques/T1059/" + name = "Command and Scripting Interpreter" + + [[rule.threat.technique.subtechnique]] + id = "T1059.004" + reference = "https://attack.mitre.org/techniques/T1059/004/" + name = "Unix Shell"