From bd228ae2fba4b947ffab8bd2a84f013f08dbd8be Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Tue, 29 Mar 2022 15:01:48 -0800 Subject: [PATCH] Re-add c89 rules (#1900) (cherry picked from commit 8d09bca633214d48cd8e1afe8fa9a63918214341) --- rules/linux/execution_c89_c99_binary.toml | 50 +++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 rules/linux/execution_c89_c99_binary.toml diff --git a/rules/linux/execution_c89_c99_binary.toml b/rules/linux/execution_c89_c99_binary.toml new file mode 100644 index 000000000..069e90010 --- /dev/null +++ b/rules/linux/execution_c89_c99_binary.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2022/03/15" +maturity = "production" +updated_date = "2022/03/24" + +[rule] +author = ["Elastic"] +description = """ +Identifies Linux binary c89/c99 abuse to break out from restricted environments by spawning an interactive system +shell.The c89/c99 utility is an interface to the standard C compilation system and the activity of spawing a shell is +not a standard use of this binary by a user or system administrator. It indicates a potentially malicious actor +attempting to improve the capabilities or stability of their access. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Linux Restricted Shell Breakout via c89/c99 Shell evasion" +references = ["https://gtfobins.github.io/gtfobins/c89/", "https://gtfobins.github.io/gtfobins/c99/"] +risk_score = 47 +rule_id = "1859ce38-6a50-422b-a5e8-636e231ea0cd" +severity = "medium" +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type == "start" and process.name in ("sh", "dash", "bash") and + process.parent.name in ("c89","c99") and process.parent.args == "-wrapper" and + process.parent.args in ("sh,-s", "bash,-s", "dash,-s", "/bin/sh,-s", "/bin/bash,-s", "/bin/dash,-s") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/"