[New Rule] Unusual Web Server Command Execution (#5392)
* [New Rule] Unusual Web Server Command Execution * ++ * Add node and java to unusual command execution rule
This commit is contained in:
Ruben Groenewoud
@@ -0,0 +1,123 @@
|
||||
[metadata]
|
||||
creation_date = "2025/12/02"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/12/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
This rule leverages the "new_terms" rule type to detect unusual command executions originating from web server processes on Linux systems.
|
||||
Attackers may exploit web servers to maintain persistence on a compromised system, often resulting in atypical command executions. As
|
||||
command execution from web server parent processes is common, the "new_terms" rule type approach helps to identify deviations from normal
|
||||
behavior.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.process*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "Unusual Web Server Command Execution"
|
||||
risk_score = 47
|
||||
rule_id = "65f28c4d-cfc8-4847-9cca-f2fb1e319151"
|
||||
severity = "medium"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"Domain: Web",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Persistence",
|
||||
"Data Source: Elastic Defend",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
query = '''
|
||||
event.category:process and host.os.type:linux and event.type:start and event.action:exec and (
|
||||
process.parent.name:(
|
||||
"apache" or "nginx" or "apache2" or "httpd" or "lighttpd" or "caddy" or "mongrel_rails" or "haproxy" or
|
||||
"gunicorn" or "uwsgi" or "openresty" or "cherokee" or "h2o" or "resin" or "puma" or "unicorn" or "traefik" or "uvicorn" or
|
||||
"tornado" or "hypercorn" or "daphne" or "twistd" or "yaws" or "webfsd" or "httpd.worker" or "flask" or "rails" or "mongrel" or
|
||||
php* or ruby* or perl* or python* or "node" or "java"
|
||||
) or
|
||||
user.name:("apache" or "www-data" or "httpd" or "nginx" or "lighttpd" or "tomcat" or "tomcat8" or "tomcat9") or
|
||||
user.id:("33" or "498" or "48" or "54321")
|
||||
) and process.working_directory:(
|
||||
/var/www/* or
|
||||
/usr/share/nginx/* or
|
||||
/srv/www/* or
|
||||
/srv/http/* or
|
||||
*/webapps/* or
|
||||
/home/*/public_html/* or
|
||||
/home/*/www/* or
|
||||
/opt/* or
|
||||
/u0*/*
|
||||
) and
|
||||
process.command_line:* and process.name:(bash or dash or sh or tcsh or csh or zsh or ksh or fish) and process.args:"-c" and
|
||||
not (
|
||||
(process.parent.name:java and not process.parent.executable:/u0*/*) or
|
||||
(process.parent.name:python* and process.parent.executable:(/bin/python* or /usr/bin/python* or /usr/local/bin/python* or /tmp/*python* or /opt/oracle.ahf/python/*)) or
|
||||
(process.parent.name:ruby* and process.parent.executable:(/bin/ruby* or /usr/bin/ruby* or /usr/local/bin/ruby* or /tmp/*ruby* or /bin/ruby or /usr/bin/ruby or /usr/local/bin/ruby)) or
|
||||
(process.parent.name:perl* and process.parent.executable:(/bin/perl* or /usr/bin/perl* or /usr/local/bin/perl* or /tmp/*perl* or /bin/perl or /usr/bin/perl or /usr/local/bin/perl)) or
|
||||
(process.parent.name:php* and process.parent.executable:(/bin/php* or /usr/bin/php* or /usr/local/bin/php* or /tmp/*php* or /bin/php or /usr/bin/php or /usr/local/bin/php)) or
|
||||
(process.parent.name:node and process.parent.executable:(/home/*/.vscode-server/* or /users/*/.vscode-server/* or /bin/node or /usr/bin/node or /usr/local/bin/node or /opt/plesk/node/*/bin/node)) or
|
||||
process.working_directory:(/u0*/*/sysman/emd or /u0*/app/oracle/product/*/dbhome_* or /u0*/app/oracle/product/*/db_* or /var/www/*edoc*) or
|
||||
process.parent.executable:/tmp/* or
|
||||
process.args:/usr/local/bin/wkhtmltopdf*
|
||||
)
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1505"
|
||||
name = "Server Software Component"
|
||||
reference = "https://attack.mitre.org/techniques/T1505/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1505.003"
|
||||
name = "Web Shell"
|
||||
reference = "https://attack.mitre.org/techniques/T1505/003/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1059"
|
||||
name = "Command and Scripting Interpreter"
|
||||
reference = "https://attack.mitre.org/techniques/T1059/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1059.004"
|
||||
name = "Unix Shell"
|
||||
reference = "https://attack.mitre.org/techniques/T1059/004/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0002"
|
||||
name = "Execution"
|
||||
reference = "https://attack.mitre.org/tactics/TA0002/"
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1071"
|
||||
name = "Application Layer Protocol"
|
||||
reference = "https://attack.mitre.org/techniques/T1071/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0011"
|
||||
name = "Command and Control"
|
||||
reference = "https://attack.mitre.org/tactics/TA0011/"
|
||||
|
||||
[rule.new_terms]
|
||||
field = "new_terms_fields"
|
||||
value = ["process.command_line"]
|
||||
|
||||
[[rule.new_terms.history_window_start]]
|
||||
field = "history_window_start"
|
||||
value = "now-14d"
|
||||
Reference in New Issue
Block a user