[New Rule] Suspicious Outbound Network Connect Sequence by Root (#1975)
* adding initial rule
* adjusted UUID
* removed event.ingested as query is a sequence
* changed file name to match mitre ATT&CK tactic
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* TOML linted
* Update command_and_control_connection_attempt_by_non_ssh_root_session.toml
Just edited a couple grammar things. Looks good
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* added additional tactic for privilege escalation and linted
* formatted query to be more readable
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
(cherry picked from commit c89f423961)
This commit is contained in:
Terrance DeJesus
committed by
github-actions[bot]
github-actions[bot]
parent
f223e63030
commit
a440d87f67
@@ -0,0 +1,80 @@
|
||||
[metadata]
|
||||
creation_date = "2022/05/16"
|
||||
maturity = "production"
|
||||
updated_date = "2022/05/16"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies an outbound network connection attempt followed by a session id change as the root user by the same process
|
||||
entity. This particular instantiation of a network connection is abnormal and should be investigated as it may indicate
|
||||
a potential reverse shell activity via a privileged process.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
False-Positives (FP) can appear if another remote terminal service is being used to connect to it's listener but
|
||||
typically SSH is used in these scenarios.
|
||||
""",
|
||||
]
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Suspicious Outbound Network Connection Sequence by Root"
|
||||
note = """## Triage and analysis
|
||||
### Investigating Connection Attempt by Non-SSH Root Session
|
||||
Detection alerts from this rule indicate a strange or abnormal outbound connection attempt by a privileged process. Here are some possible avenues of investigation:
|
||||
- Examine unusual and active sessions using commands such as 'last -a', 'netstat -a', and 'w -a'.
|
||||
- Analyze processes and command line arguments to detect anomalous process execution that may be acting as a listener.
|
||||
- Analyze anomalies in the use of files that do not normally initiate connections.
|
||||
- Examine processes utilizing the network that do not normally have network communication.
|
||||
"""
|
||||
references = [
|
||||
"https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/",
|
||||
"https://twitter.com/GossiTheDog/status/1522964028284411907",
|
||||
"https://exatrack.com/public/Tricephalic_Hellkeeper.pdf",
|
||||
]
|
||||
risk_score = 43
|
||||
rule_id = "eb6a3790-d52d-11ec-8ce9-f661ea17fbce"
|
||||
severity = "medium"
|
||||
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Command and Control"]
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
sequence by process.entity_id with maxspan=1m
|
||||
[network where event.type == "start" and event.action == "connection_attempted" and user.id == "0" and
|
||||
not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd")]
|
||||
[process where event.action == "session_id_change" and user.id == "0"]
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1095"
|
||||
name = "Non-Application Layer Protocol"
|
||||
reference = "https://attack.mitre.org/techniques/T1095/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0011"
|
||||
name = "Command and Control"
|
||||
reference = "https://attack.mitre.org/tactics/TA0011/"
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1548"
|
||||
name = "Abuse Elevation Control Mechanism"
|
||||
reference = "https://attack.mitre.org/techniques/T1548/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1548.003"
|
||||
name = "Sudo and Sudo Caching"
|
||||
reference = "https://attack.mitre.org/techniques/T1548/003/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0004"
|
||||
name = "Privilege Escalation"
|
||||
reference = "https://attack.mitre.org/tactics/TA0004/"
|
||||
|
||||
Reference in New Issue
Block a user