[New Rules] Linux Reverse Shells (#2905)

* [New Rules] Linux Reverse Shells * [New Rules] Linux Reverse Shells * Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_java_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_java_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_java_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Delete UDP rule to add in separate PR * Update rules/linux/execution_shell_via_lolbin_interpreter_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Deleted one rule and tuned the others * Improved the rules' performance * Added the reverse_tcp rule back after tuning * Update execution_shell_via_lolbin_interpreter_linux.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
2023-07-06 15:27:57 +02:00
parent 9e5f69dc5b
commit 646c316b66
6 changed files with 373 additions and 3 deletions
@@ -1,10 +1,11 @@
 [metadata]
 creation_date = "2022/11/14"
+deprecation_date = "2023/07/04"
 integration = ["endpoint"]
-maturity = "production"
+maturity = "deprecated"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/06/22"
+updated_date = "2023/07/04"

 [rule]
 author = ["Elastic"]
@@ -34,7 +35,13 @@ references = [
 risk_score = 47
 rule_id = "dd7f1524-643e-11ed-9e35-f661ea17fbcd"
 severity = "medium"
-tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"]
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Execution",
+    "Data Source: Elastic Endgame",
+]
 type = "eql"

 query = '''
@@ -0,0 +1,75 @@
+[metadata]
+creation_date = "2023/07/04"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/04"
+
+[rule]
+author = ["Elastic"]
+description = """
+This detection rule detects the creation of a shell through a suspicious parent child relationship. Any reverse shells
+spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured 
+through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. 
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Reverse Shell via Suspicious Parent Process"
+references = [
+    "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
+]
+risk_score = 47
+rule_id = "4b1a807a-4e7b-414e-8cea-24bf580f6fc5"
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
+type = "eql"
+query = '''
+sequence by host.id, process.parent.entity_id with maxspan=1s
+[ process where host.os.type == "linux" and event.type == "start" and event.action == "fork" and (
+  (process.name : "python*" and process.args : "-c") or
+  (process.name : "php*" and process.args : "-r") or
+  (process.name : "perl" and process.args : "-e") or
+  (process.name : "ruby" and process.args : ("-e", "-rsocket")) or
+  (process.name : "lua*" and process.args : "-e") or
+  (process.name : "openssl" and process.args : "-connect") or
+  (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3) or
+  (process.name : "telnet" and process.args_count >= 3) or
+  (process.name : "awk")) and 
+  process.parent.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ]
+[ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and 
+  process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ]
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+name = "Execution"
+id = "TA0002"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1059.004"
+name = "Unix Shell"
+reference = "https://attack.mitre.org/techniques/T1059/004/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+name = "Command and Control"
+id = "TA0011"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[[rule.threat.technique]]
+name = "Application Layer Protocol"
+id = "T1071"
+reference = "https://attack.mitre.org/techniques/T1071/"
@@ -0,0 +1,66 @@
+[metadata]
+creation_date = "2023/07/04"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/04"
+
+[rule]
+author = ["Elastic"]
+description = """
+This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming
+network connection. This behavior may indicate reverse shell activity via a Java application.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Reverse Shell via Java"
+references = [
+    "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
+]
+risk_score = 47
+rule_id = "5a3d5447-31c9-409a-aed1-72f9921594fd"
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
+type = "eql"
+query = '''
+sequence by host.id with maxspan=5s
+[ network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and 
+  process.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") ] by process.entity_id
+[ process where host.os.type == "linux" and event.action == "exec" and 
+  process.parent.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and
+  process.parent.args : "-jar"  and process.executable : "*sh" ] by process.parent.entity_id
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+name = "Execution"
+id = "TA0002"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1059.004"
+name = "Unix Shell"
+reference = "https://attack.mitre.org/techniques/T1059/004/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+name = "Command and Control"
+id = "TA0011"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[[rule.threat.technique]]
+name = "Application Layer Protocol"
+id = "T1071"
+reference = "https://attack.mitre.org/techniques/T1071/"
@@ -0,0 +1,75 @@
+[metadata]
+creation_date = "2023/07/04"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/04"
+
+[rule]
+author = ["Elastic"]
+description = """
+This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by 
+the specified utilities that are initialized from a single process followed by a network connection attempt will be 
+captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Reverse Shell via Suspicious Child Process"
+references = [
+    "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
+]
+risk_score = 47
+rule_id = "76e4d92b-61c1-4a95-ab61-5fd94179a1ee"
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
+type = "eql"
+query = '''
+sequence by host.id, process.entity_id with maxspan=1s
+[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and (
+  (process.name : "python*" and process.args : "-c") or
+  (process.name : "php*" and process.args : "-r") or
+  (process.name : "perl" and process.args : "-e") or
+  (process.name : "ruby" and process.args : ("-e", "-rsocket")) or
+  (process.name : "lua*" and process.args : "-e") or
+  (process.name : "openssl" and process.args : "-connect") or
+  (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3) or
+  (process.name : "telnet" and process.args_count >= 3) or
+  (process.name : "awk")) and 
+  process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ]
+[ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and 
+  process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ]
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+name = "Execution"
+id = "TA0002"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1059.004"
+name = "Unix Shell"
+reference = "https://attack.mitre.org/techniques/T1059/004/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+name = "Command and Control"
+id = "TA0011"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[[rule.threat.technique]]
+name = "Application Layer Protocol"
+id = "T1071"
+reference = "https://attack.mitre.org/techniques/T1071/"
@@ -0,0 +1,80 @@
+[metadata]
+creation_date = "2023/07/05"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/05"
+
+[rule]
+author = ["Elastic"]
+description = """
+This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary
+(located in a commonly abused location or executed manually) followed by a network event and ending with a shell being
+spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish 
+persistence onto a target system.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Reverse Shell via Suspicious Binary"
+references = [
+    "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
+]
+risk_score = 47
+rule_id = "fa3a59dc-33c3-43bf-80a9-e8437a922c7f"
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
+type = "eql"
+query = '''
+sequence by host.id, process.entity_id with maxspan=1s
+[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
+  process.executable : (
+  "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*",
+  "/etc/crontab", "/etc/cron.*", "/etc/update-motd.d/*", "/usr/lib/update-notifier/*",
+  "/boot/*", "/srv/*", "/run/*", "/root/*", "/etc/rc.local"
+   ) and
+  process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not
+  process.name : ("curl", "wget", "ping", "apt", "dpkg", "yum", "rpm", "dnf", "dockerd") ]
+[ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and
+  process.executable : (
+  "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*",
+  "/etc/crontab", "/etc/cron.*", "/etc/update-motd.d/*", "/usr/lib/update-notifier/*",
+  "/boot/*", "/srv/*", "/run/*", "/root/*", "/etc/rc.local"
+   ) ]
+[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
+  process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and 
+  process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ]
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+name = "Execution"
+id = "TA0002"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1059.004"
+name = "Unix Shell"
+reference = "https://attack.mitre.org/techniques/T1059/004/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+name = "Command and Control"
+id = "TA0011"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[[rule.threat.technique]]
+name = "Application Layer Protocol"
+id = "T1071"
+reference = "https://attack.mitre.org/techniques/T1071/"
@@ -0,0 +1,67 @@
+[metadata]
+creation_date = "2023/07/04"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/07/04"
+
+[rule]
+author = ["Elastic"]
+description = """
+This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This
+activity consists of a parent-child relationship where a network event is followed by the creation of a shell process.
+An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Reverse Shell"
+references = [
+    "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
+]
+risk_score = 47
+rule_id = "48b3d2e3-f4e8-41e6-95e6-9b2091228db3"
+severity = "medium"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
+type = "eql"
+query = '''
+sequence by host.id with maxspan=1s
+[ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and 
+  process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") ] by process.entity_id
+[ process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "fork") and 
+  process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and 
+  process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") ] by process.parent.entity_id
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+name = "Execution"
+id = "TA0002"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1059.004"
+name = "Unix Shell"
+reference = "https://attack.mitre.org/techniques/T1059/004/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+name = "Command and Control"
+id = "TA0011"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[[rule.threat.technique]]
+name = "Application Layer Protocol"
+id = "T1071"
+reference = "https://attack.mitre.org/techniques/T1071/"