security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New BBR] Reverse Connection through Port Knocking (#3219)

Browse Source 
* [New BBR] Reverse Connection through Port Knocking

* Attempt to fix unit testing error

* Mitre list fix?

* Revert "Mitre list fix?"

This reverts commit 83682b8a58c2954911495d218392a33ee0615db2.

* Update command_and_control_linux_port_knocking_reverse_connection.toml

* Update command_and_control_linux_port_knocking_reverse_connection.toml

* Update rules_building_block/command_and_control_linux_port_knocking_reverse_connection.toml

* Update command_and_control_linux_port_knocking_reverse_connection.toml

* Update command_and_control_linux_port_knocking_reverse_connection.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit a66394c550)
This commit is contained in:
Ruben Groenewoud
2024-01-24 16:30:31 +01:00
committed by github-actions[bot]
parent df82c11b4a
commit c2eb386789
1 changed files with 108 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules_building_block/command_and_control_linux_port_knocking_reverse_connection.toml
+108
View File
@@ -0,0 +1,108 @@
[metadata]
bypass_bbr_timing = true
creation_date = "2023/10/24"
integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/24"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Monitors for a sequence of network activity on atypical ports, prior to receiving a single packet on such a non-standard
port, which potentially indicates signal port knocking activity. Port knocking is a covert method of externally opening
ports by sending a sequence of packets to previously closed ports, which adversaries may leverage to discreetly gain
access without directly alerting traditional monitoring systems.
"""
from = "now-9m"
index = ["logs-endpoint.events.*", "logs-network_traffic.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Linux Reverse Connection through Port Knocking"
references = ["https://github.com/f0rb1dd3n/Reptile"]
risk_score = 21
rule_id = "86c3157c-a951-4a4f-989b-2f0d0f1f9518"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Command and Control",
"Data Source: Elastic Defend",
"Rule Type: BBR"
]
type = "eql"
query = '''
sequence by host.id with maxspan=10s
[network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and
event.type == "start" and process.name : "*" and (
process.name : (
"python*", "php*", "perl*", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet",
"awk", "gawk", "mawk", "nawk", "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh"
) or not process.executable : ("/usr/bin/*", "/bin/*")
) and not (
cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1") or destination.port in (
20, 21, 22, 23, 25, 53, 67, 68, 69, 80, 110, 123, 137, 138, 139, 143, 161, 162, 179, 443, 445, 465, 514, 515,
587,636, 989, 990, 993, 995, 1025, 1026, 1080, 1194, 1433, 1434, 1521, 1701, 1723, 1812, 1813, 2082, 2083, 2086,
2087, 2095, 2096, 2121, 2483, 2484, 3306, 3389, 3478, 3497, 3544, 3689, 3784, 3785, 389, 3998, 5060, 5061, 5190,
5222, 5223, 5228, 5432, 5500, 554, 5631, 5632, 5800, 5801, 5900, 5901, 8000, 8008, 8080, 8081, 8443, 8888, 9100,
9200, 9443, 10000
) or source.port in (
20, 21, 22, 23, 25, 53, 67, 68, 69, 80, 110, 123, 137, 138, 139, 143, 161, 162, 179, 443, 445, 465, 514, 515,
587, 636, 989, 990, 993, 995, 1025, 1026, 1080, 1194, 1433, 1434, 1521, 1701, 1723, 1812, 1813, 2082, 2083, 2086,
2087, 2095, 2096, 2121, 2483, 2484, 3306, 3389, 3478, 3497, 3544, 3689, 3784, 3785, 389, 3998, 5060, 5061, 5190,
5222, 5223, 5228, 5432, 5500, 554, 5631, 5632, 5800, 5801, 5900, 5901, 8000, 8008, 8080, 8081, 8443, 8888, 9100,
9200, 9443, 10000)
)
] by destination.ip
[network where event.dataset == "network_traffic.flow" and host.os.type == "linux" and event.action == "network_flow"
and event.type == "connection" and source.packets == 1 and flow.final == false and not (
cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1") or destination.port in (
20, 21, 22, 23, 25, 53, 67, 68, 69, 80, 110, 123, 137, 138, 139, 143, 161, 162, 179, 443, 445, 465, 514, 515,
587,636, 989, 990, 993, 995, 1025, 1026, 1080, 1194, 1433, 1434, 1521, 1701, 1723, 1812, 1813, 2082, 2083, 2086,
2087, 2095, 2096, 2121, 2483, 2484, 3306, 3389, 3478, 3497, 3544, 3689, 3784, 3785, 389, 3998, 5060, 5061, 5190,
5222, 5223, 5228, 5432, 5500, 554, 5631, 5632, 5800, 5801, 5900, 5901, 8000, 8008, 8080, 8081, 8443, 8888, 9100,
9200, 9443, 10000
) or source.port in (
20, 21, 22, 23, 25, 53, 67, 68, 69, 80, 110, 123, 137, 138, 139, 143, 161, 162, 179, 443, 445, 465, 514, 515,
587, 636, 989, 990, 993, 995, 1025, 1026, 1080, 1194, 1433, 1434, 1521, 1701, 1723, 1812, 1813, 2082, 2083, 2086,
2087, 2095, 2096, 2121, 2483, 2484, 3306, 3389, 3478, 3497, 3544, 3689, 3784, 3785, 389, 3998, 5060, 5061, 5190,
5222, 5223, 5228, 5432, 5500, 554, 5631, 5632, 5800, 5801, 5900, 5901, 8000, 8008, 8080, 8081, 8443, 8888, 9100,
9200, 9443, 10000)
)
] by source.ip
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
id = "T1571"
name = "Non-Standard Port"
reference = "https://attack.mitre.org/techniques/T1571/"
[[rule.threat.technique]]
id = "T1205"
name = "Traffic Signaling"
reference = "https://attack.mitre.org/techniques/T1205/"
[[rule.threat.technique.subtechnique]]
id = "T1205.001"
name = "Port Knocking"
reference = "https://attack.mitre.org/techniques/T1205/001/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"