security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Interactive Terminal Spawned via Python - Python3 and bypasses fix (#1649)

Browse Source 
* Update execution_python_tty_shell.toml

* Update EQL query to sequence

* Remove auditbeat index

* Update rules/linux/execution_python_tty_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2022-01-20 08:50:30 -03:00
committed by GitHub
parent 96ada9e223
commit 625d1df2bf
1 changed files with 25 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/execution_python_tty_shell.toml
+25 -8
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/04/15"
maturity = "production"
updated_date = "2021/03/03"
updated_date = "2021/12/06"
[rule]
author = ["Elastic"]
@@ -10,8 +10,8 @@ Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a
interactive tty after obtaining initial access to a host.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Interactive Terminal Spawned via Python"
risk_score = 73
@@ -19,23 +19,40 @@ rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f"
severity = "high"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"]
timestamp_override = "event.ingested"
type = "query"
type = "eql"
query = '''
event.category:process and event.type:(start or process_started) and process.name:python and
process.args:("import pty; pty.spawn(\"/bin/sh\")" or
"import pty; pty.spawn(\"/bin/dash\")" or
"import pty; pty.spawn(\"/bin/bash\")")
sequence with maxspan=20s
[process where event.type in ("start", "process_started") and process.name : "python*"] by process.entity_id
[process where event.type in ("start", "process_started") and
process.executable : (
"/bin/bash",
"/bin/sh",
"/bin/dash",
"/bin/csh",
"/bin/zsh",
"/bin/ksh",
"/bin/tcsh",
"/bin/fish",
"/bin/ash",
"/bin/bsh"
)
] by process.parent.entity_id
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.006"
name = "Python"
reference = "https://attack.mitre.org/techniques/T1059/006/"
[rule.threat.tactic]
id = "TA0002"