security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New BBR] Sus. Process Started via tmux or screen (#3071)

Browse Source 
* [New BBR] Sus. Process Started via tmux or screen

* [New BBR] Unix Socket Connection

* Revert "[New BBR] Unix Socket Connection"

This reverts commit 92a0b09e8c505bceb1025124658bb4233d5d19d9.

* Update rules_building_block/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
This commit is contained in:
Ruben Groenewoud
2023-09-30 12:57:18 +02:00
committed by GitHub
parent 16550b7144
commit 8f122197bb
1 changed files with 49 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules_building_block/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
+49
View File
@@ -0,0 +1,49 @@
[metadata]
creation_date = "2023/09/04"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/09/04"
bypass_bbr_timing = true
[rule]
author = ["Elastic"]
description = """
This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching
directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux
to execute commands while attempting to evade detection.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potentially Suspicious Process Started via tmux or screen"
risk_score = 21
rule_id = "e0cc3807-e108-483c-bf66-5a4fbe0d7e89"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"]
timestamp_override = "event.ingested"
building_block_type = "default"
type = "eql"
query = '''
process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
process.parent.name in ("screen", "tmux") and process.name : (
"nmap", "nc", "ncat", "netcat", "socat", "nc.openbsd", "ngrok", "ping", "java", "python*", "php*", "perl", "ruby",
"lua*", "openssl", "telnet", "awk", "wget", "curl", "whoami", "id"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1218"
name = "System Binary Proxy Execution"
reference = "https://attack.mitre.org/techniques/T1218/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"