From 646c316b66016a97a124dbe932f73676850bc362 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 6 Jul 2023 15:27:57 +0200 Subject: [PATCH] [New Rules] Linux Reverse Shells (#2905) * [New Rules] Linux Reverse Shells * [New Rules] Linux Reverse Shells * Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_java_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_java_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_java_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Delete UDP rule to add in separate PR * Update rules/linux/execution_shell_via_lolbin_interpreter_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Deleted one rule and tuned the others * Improved the rules' performance * Added the reverse_tcp rule back after tuning * Update execution_shell_via_lolbin_interpreter_linux.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- ...xecution_reverse_shell_via_named_pipe.toml | 13 ++- ...uspicious_parent_child_revshell_linux.toml | 75 +++++++++++++++++ ...ecution_shell_via_java_revshell_linux.toml | 66 +++++++++++++++ ...on_shell_via_lolbin_interpreter_linux.toml | 75 +++++++++++++++++ ...execution_shell_via_suspicious_binary.toml | 80 +++++++++++++++++++ ...ution_shell_via_tcp_cli_utility_linux.toml | 67 ++++++++++++++++ 6 files changed, 373 insertions(+), 3 deletions(-) rename rules/{linux => _deprecated}/execution_reverse_shell_via_named_pipe.toml (91%) create mode 100644 rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml create mode 100644 rules/linux/execution_shell_via_java_revshell_linux.toml create mode 100644 rules/linux/execution_shell_via_lolbin_interpreter_linux.toml create mode 100644 rules/linux/execution_shell_via_suspicious_binary.toml create mode 100644 rules/linux/execution_shell_via_tcp_cli_utility_linux.toml diff --git a/rules/linux/execution_reverse_shell_via_named_pipe.toml b/rules/_deprecated/execution_reverse_shell_via_named_pipe.toml similarity index 91% rename from rules/linux/execution_reverse_shell_via_named_pipe.toml rename to rules/_deprecated/execution_reverse_shell_via_named_pipe.toml index 4211ea5c1..b22c99d19 100644 --- a/rules/linux/execution_reverse_shell_via_named_pipe.toml +++ b/rules/_deprecated/execution_reverse_shell_via_named_pipe.toml @@ -1,10 +1,11 @@ [metadata] creation_date = "2022/11/14" +deprecation_date = "2023/07/04" integration = ["endpoint"] -maturity = "production" +maturity = "deprecated" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/04" [rule] author = ["Elastic"] @@ -34,7 +35,13 @@ references = [ risk_score = 47 rule_id = "dd7f1524-643e-11ed-9e35-f661ea17fbcd" severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Elastic Endgame", +] type = "eql" query = ''' diff --git a/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml b/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml new file mode 100644 index 000000000..7157e032d --- /dev/null +++ b/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml @@ -0,0 +1,75 @@ +[metadata] +creation_date = "2023/07/04" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/04" + +[rule] +author = ["Elastic"] +description = """ +This detection rule detects the creation of a shell through a suspicious parent child relationship. Any reverse shells +spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured +through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Reverse Shell via Suspicious Parent Process" +references = [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" +] +risk_score = 47 +rule_id = "4b1a807a-4e7b-414e-8cea-24bf580f6fc5" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +type = "eql" +query = ''' +sequence by host.id, process.parent.entity_id with maxspan=1s +[ process where host.os.type == "linux" and event.type == "start" and event.action == "fork" and ( + (process.name : "python*" and process.args : "-c") or + (process.name : "php*" and process.args : "-r") or + (process.name : "perl" and process.args : "-e") or + (process.name : "ruby" and process.args : ("-e", "-rsocket")) or + (process.name : "lua*" and process.args : "-e") or + (process.name : "openssl" and process.args : "-connect") or + (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3) or + (process.name : "telnet" and process.args_count >= 3) or + (process.name : "awk")) and + process.parent.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ] +[ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and + process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ] +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Command and Control" +id = "TA0011" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_java_revshell_linux.toml b/rules/linux/execution_shell_via_java_revshell_linux.toml new file mode 100644 index 000000000..1e493963c --- /dev/null +++ b/rules/linux/execution_shell_via_java_revshell_linux.toml @@ -0,0 +1,66 @@ +[metadata] +creation_date = "2023/07/04" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/04" + +[rule] +author = ["Elastic"] +description = """ +This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming +network connection. This behavior may indicate reverse shell activity via a Java application. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Reverse Shell via Java" +references = [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" +] +risk_score = 47 +rule_id = "5a3d5447-31c9-409a-aed1-72f9921594fd" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +type = "eql" +query = ''' +sequence by host.id with maxspan=5s +[ network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and + process.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") ] by process.entity_id +[ process where host.os.type == "linux" and event.action == "exec" and + process.parent.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and + process.parent.args : "-jar" and process.executable : "*sh" ] by process.parent.entity_id +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Command and Control" +id = "TA0011" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml new file mode 100644 index 000000000..36e1a70ef --- /dev/null +++ b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml @@ -0,0 +1,75 @@ +[metadata] +creation_date = "2023/07/04" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/04" + +[rule] +author = ["Elastic"] +description = """ +This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by +the specified utilities that are initialized from a single process followed by a network connection attempt will be +captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Reverse Shell via Suspicious Child Process" +references = [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" +] +risk_score = 47 +rule_id = "76e4d92b-61c1-4a95-ab61-5fd94179a1ee" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +type = "eql" +query = ''' +sequence by host.id, process.entity_id with maxspan=1s +[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + (process.name : "python*" and process.args : "-c") or + (process.name : "php*" and process.args : "-r") or + (process.name : "perl" and process.args : "-e") or + (process.name : "ruby" and process.args : ("-e", "-rsocket")) or + (process.name : "lua*" and process.args : "-e") or + (process.name : "openssl" and process.args : "-connect") or + (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3) or + (process.name : "telnet" and process.args_count >= 3) or + (process.name : "awk")) and + process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ] +[ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and + process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ] +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Command and Control" +id = "TA0011" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" diff --git a/rules/linux/execution_shell_via_suspicious_binary.toml b/rules/linux/execution_shell_via_suspicious_binary.toml new file mode 100644 index 000000000..01d25194a --- /dev/null +++ b/rules/linux/execution_shell_via_suspicious_binary.toml @@ -0,0 +1,80 @@ +[metadata] +creation_date = "2023/07/05" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/05" + +[rule] +author = ["Elastic"] +description = """ +This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary +(located in a commonly abused location or executed manually) followed by a network event and ending with a shell being +spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish +persistence onto a target system. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Reverse Shell via Suspicious Binary" +references = [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" +] +risk_score = 47 +rule_id = "fa3a59dc-33c3-43bf-80a9-e8437a922c7f" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +type = "eql" +query = ''' +sequence by host.id, process.entity_id with maxspan=1s +[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and + process.executable : ( + "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*", + "/etc/crontab", "/etc/cron.*", "/etc/update-motd.d/*", "/usr/lib/update-notifier/*", + "/boot/*", "/srv/*", "/run/*", "/root/*", "/etc/rc.local" + ) and + process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not + process.name : ("curl", "wget", "ping", "apt", "dpkg", "yum", "rpm", "dnf", "dockerd") ] +[ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and + process.executable : ( + "./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*", + "/etc/crontab", "/etc/cron.*", "/etc/update-motd.d/*", "/usr/lib/update-notifier/*", + "/boot/*", "/srv/*", "/run/*", "/root/*", "/etc/rc.local" + ) ] +[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and + process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and + process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ] +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Command and Control" +id = "TA0011" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/" \ No newline at end of file diff --git a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml new file mode 100644 index 000000000..dfaaba0a5 --- /dev/null +++ b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml @@ -0,0 +1,67 @@ +[metadata] +creation_date = "2023/07/04" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/04" + +[rule] +author = ["Elastic"] +description = """ +This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This +activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. +An attacker may establish a Linux TCP reverse shell to gain remote access to a target system. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Reverse Shell" +references = [ + "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" +] +risk_score = 47 +rule_id = "48b3d2e3-f4e8-41e6-95e6-9b2091228db3" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] +type = "eql" +query = ''' +sequence by host.id with maxspan=1s +[ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and + process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") ] by process.entity_id +[ process where host.os.type == "linux" and event.type == "start" and event.action : ("exec", "fork") and + process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and + process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") ] by process.parent.entity_id +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Execution" +id = "TA0002" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Command and Control" +id = "TA0011" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[[rule.threat.technique]] +name = "Application Layer Protocol" +id = "T1071" +reference = "https://attack.mitre.org/techniques/T1071/"