Back-porting Version Trimming (#3704)
This commit is contained in:
shashank-elastic
@@ -2,9 +2,7 @@
|
||||
creation_date = "2023/08/23"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2024/03/08"
|
||||
updated_date = "2024/05/21"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -31,14 +29,15 @@ query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.u
|
||||
label = "Osquery - Retrieve Process Info"
|
||||
query = "SELECT name, cmdline, parent, path, uid FROM processes"
|
||||
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection
|
||||
within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels,
|
||||
enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish
|
||||
covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that
|
||||
allow unauthorized access to internal systems.
|
||||
This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received
|
||||
connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP
|
||||
tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to
|
||||
establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating
|
||||
tunnels that allow unauthorized access to internal systems.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
@@ -108,8 +107,8 @@ This rule looks for a sequence of command line arguments that are consistent wit
|
||||
"""
|
||||
references = [
|
||||
"https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform",
|
||||
"https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"
|
||||
]
|
||||
"https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "ac8805f6-1e08-406c-962e-3937057fa86f"
|
||||
setup = """## Setup
|
||||
@@ -139,13 +138,14 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Command and Control",
|
||||
"Data Source: Elastic Defend"
|
||||
]
|
||||
"Domain: Endpoint",
|
||||
"OS: Linux",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Command and Control",
|
||||
"Data Source: Elastic Defend",
|
||||
]
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
sequence by host.id, process.entity_id with maxspan=1m
|
||||
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
|
||||
@@ -158,15 +158,17 @@ sequence by host.id, process.entity_id with maxspan=1m
|
||||
"ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd", "hugo")]
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1572"
|
||||
name = "Protocol Tunneling"
|
||||
reference = "https://attack.mitre.org/techniques/T1572/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0011"
|
||||
name = "Command and Control"
|
||||
reference = "https://attack.mitre.org/tactics/TA0011/"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user