From 758784d4d5d3bfb5162bf50de78e7b5bfbf7b14c Mon Sep 17 00:00:00 2001 From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Wed, 2 Mar 2022 21:47:01 +0530 Subject: [PATCH] env binary shell evasion threat (#1793) * new:rule:issue-1786 Adding a new Rule for env binary shell evasion threat * new:rule:issue-1786 Adding a new Rule for env binary shell evasion threat * Update rules/linux/env_binary_shell_evasion.toml * Update rules/linux/env_binary_shell_evasion.toml * new:rule:issue-1786 Adding Mittre Attack Techniques * new:rule:issue-1786 Adding Mittre Attack Techniques * new:rule:issue-1786 Adding Mittre Attack Techniques * new:rule:issue-1786 Adding Mittre Attack Techniques * new:rule:issue-1786 Adding Mittre Attack Techniques * Update rules/linux/privilege_escalation_env_binary.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/privilege_escalation_env_binary.toml Co-authored-by: Justin Ibarra * Update rules/linux/privilege_escalation_env_binary.toml * Update rules/linux/privilege_escalation_env_binary.toml * new:rule:issue-1786 Review Comments * Update rules/linux/defense_evasion_env_binary.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Justin Ibarra --- rules/linux/defense_evasion_env_binary.toml | 44 +++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 rules/linux/defense_evasion_env_binary.toml diff --git a/rules/linux/defense_evasion_env_binary.toml b/rules/linux/defense_evasion_env_binary.toml new file mode 100644 index 000000000..cca34f51d --- /dev/null +++ b/rules/linux/defense_evasion_env_binary.toml @@ -0,0 +1,44 @@ +[metadata] +creation_date = "2022/02/24" +maturity = "production" +updated_date = "2022/02/24" + +[rule] +author = ["Elastic"] +description = "Identifies Linux binary env abuse to break out from restricted environments by spawning an interactive system shell" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Linux Restricted Shell Breakout via env Shell Evasion" +references = ["https://gtfobins.github.io/gtfobins/env/"] +risk_score = 47 +rule_id = "72d33577-f155-457d-aad3-379f9b750c97" +severity = "medium" +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type == "start" and process.name : "env" and process.args_count == 2 and process.args : ("/bin/sh", "/bin/bash", "sh", "bash") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.004" +name = "Elevated Execution with Prompt" +reference = "https://attack.mitre.org/techniques/T1548/004/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +