From 9794f8f0af1ba98944be2d0e19c6c85f5d6ae1d1 Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Fri, 30 Jun 2023 13:17:24 +0200
Subject: [PATCH] [New Rule] Postgresql Code Execution (#2863)

* [New Rule] Postgresql Code Execution

* Update rules/linux/execution_remote_code_execution_via_postgresql.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update execution_remote_code_execution_via_postgresql.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
---
 ..._remote_code_execution_via_postgresql.toml | 50 +++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 rules/linux/execution_remote_code_execution_via_postgresql.toml

diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml
new file mode 100644
index 000000000..f74edf64e
--- /dev/null
+++ b/rules/linux/execution_remote_code_execution_via_postgresql.toml
@@ -0,0 +1,50 @@
+[metadata]
+creation_date = "2022/06/20"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/06/20"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within 
+a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a
+public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection
+attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities
+for unauthorized access and malicious actions.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*", "endgame-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Code Execution via Postgresql"
+risk_score = 73
+rule_id = "2a692072-d78d-42f3-a48a-775677d79c4e"
+severity = "high"
+tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"]
+type = "eql"
+
+query = '''
+process where host.os.type == "linux" and event.action in ("exec", "exec_event", "fork", "fork_event") and 
+event.type == "start" and user.name == "postgres" and (process.parent.args : "*sh" or process.args : "*sh")
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1059.004"
+name = "Unix Shell"
+reference = "https://attack.mitre.org/techniques/T1059/004/"
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"