From a440d87f6700eb6c1ca61e1cd041f934c752d331 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Mon, 16 May 2022 17:22:33 -0400 Subject: [PATCH] [New Rule] Suspicious Outbound Network Connect Sequence by Root (#1975) * adding initial rule * adjusted UUID * removed event.ingested as query is a sequence * changed file name to match mitre ATT&CK tactic * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * TOML linted * Update command_and_control_connection_attempt_by_non_ssh_root_session.toml Just edited a couple grammar things. Looks good * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * added additional tactic for privilege escalation and linted * formatted query to be more readable Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit c89f423961f2dcec5b26f7144bce54677dee9263) --- ...ction_attempt_by_non_ssh_root_session.toml | 80 +++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml diff --git a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml new file mode 100644 index 000000000..0003bfc0a --- /dev/null +++ b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml @@ -0,0 +1,80 @@ +[metadata] +creation_date = "2022/05/16" +maturity = "production" +updated_date = "2022/05/16" + +[rule] +author = ["Elastic"] +description = """ +Identifies an outbound network connection attempt followed by a session id change as the root user by the same process +entity. This particular instantiation of a network connection is abnormal and should be investigated as it may indicate +a potential reverse shell activity via a privileged process. +""" +false_positives = [ + """ + False-Positives (FP) can appear if another remote terminal service is being used to connect to it's listener but + typically SSH is used in these scenarios. + """, +] +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Suspicious Outbound Network Connection Sequence by Root" +note = """## Triage and analysis +### Investigating Connection Attempt by Non-SSH Root Session +Detection alerts from this rule indicate a strange or abnormal outbound connection attempt by a privileged process. Here are some possible avenues of investigation: +- Examine unusual and active sessions using commands such as 'last -a', 'netstat -a', and 'w -a'. +- Analyze processes and command line arguments to detect anomalous process execution that may be acting as a listener. +- Analyze anomalies in the use of files that do not normally initiate connections. +- Examine processes utilizing the network that do not normally have network communication. +""" +references = [ + "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", + "https://twitter.com/GossiTheDog/status/1522964028284411907", + "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", +] +risk_score = 43 +rule_id = "eb6a3790-d52d-11ec-8ce9-f661ea17fbce" +severity = "medium" +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Command and Control"] +type = "eql" + +query = ''' +sequence by process.entity_id with maxspan=1m +[network where event.type == "start" and event.action == "connection_attempted" and user.id == "0" and + not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd")] +[process where event.action == "session_id_change" and user.id == "0"] +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1095" +name = "Non-Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1095/" + + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.003" +name = "Sudo and Sudo Caching" +reference = "https://attack.mitre.org/techniques/T1548/003/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +