From c2eb386789c366cf2c135b831bb97389c8e5b685 Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Wed, 24 Jan 2024 16:30:31 +0100
Subject: [PATCH] [New BBR] Reverse Connection through Port Knocking (#3219)

* [New BBR] Reverse Connection through Port Knocking

* Attempt to fix unit testing error

* Mitre list fix?

* Revert "Mitre list fix?"

This reverts commit 83682b8a58c2954911495d218392a33ee0615db2.

* Update command_and_control_linux_port_knocking_reverse_connection.toml

* Update command_and_control_linux_port_knocking_reverse_connection.toml

* Update rules_building_block/command_and_control_linux_port_knocking_reverse_connection.toml

* Update command_and_control_linux_port_knocking_reverse_connection.toml

* Update command_and_control_linux_port_knocking_reverse_connection.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit a66394c550a7ed3e0286f33a0379e7a355fec14b)
---
 ...inux_port_knocking_reverse_connection.toml | 108 ++++++++++++++++++
 1 file changed, 108 insertions(+)
 create mode 100644 rules_building_block/command_and_control_linux_port_knocking_reverse_connection.toml

diff --git a/rules_building_block/command_and_control_linux_port_knocking_reverse_connection.toml b/rules_building_block/command_and_control_linux_port_knocking_reverse_connection.toml
new file mode 100644
index 000000000..d77219877
--- /dev/null
+++ b/rules_building_block/command_and_control_linux_port_knocking_reverse_connection.toml
@@ -0,0 +1,108 @@
+[metadata]
+bypass_bbr_timing = true
+creation_date = "2023/10/24"
+integration = ["endpoint", "network_traffic"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2023/10/24"
+
+[rule]
+author = ["Elastic"]
+building_block_type = "default"
+description = """
+Monitors for a sequence of network activity on atypical ports, prior to receiving a single packet on such a non-standard
+port, which potentially indicates signal port knocking activity. Port knocking is a covert method of externally opening
+ports by sending a sequence of packets to previously closed ports, which adversaries may leverage to discreetly gain
+access without directly alerting traditional monitoring systems.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*", "logs-network_traffic.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential Linux Reverse Connection through Port Knocking"
+references = ["https://github.com/f0rb1dd3n/Reptile"]
+risk_score = 21
+rule_id = "86c3157c-a951-4a4f-989b-2f0d0f1f9518"
+severity = "low"
+tags = [
+        "Domain: Endpoint",
+        "OS: Linux",
+        "Use Case: Threat Detection",
+        "Tactic: Command and Control",
+        "Data Source: Elastic Defend",
+        "Rule Type: BBR"
+        ]
+type = "eql"
+query = '''
+sequence by host.id with maxspan=10s
+  [network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and 
+    event.type == "start" and process.name : "*" and (
+      process.name : (
+        "python*", "php*", "perl*", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet",
+        "awk", "gawk", "mawk", "nawk", "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh"
+      ) or not process.executable : ("/usr/bin/*", "/bin/*")
+    ) and not (
+       cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1") or destination.port in (
+         20, 21, 22, 23, 25, 53, 67, 68, 69, 80, 110, 123, 137, 138, 139, 143, 161, 162, 179, 443, 445, 465, 514, 515,
+         587,636, 989, 990, 993, 995, 1025, 1026, 1080, 1194, 1433, 1434, 1521, 1701, 1723, 1812, 1813, 2082, 2083, 2086,
+         2087, 2095, 2096, 2121, 2483, 2484, 3306, 3389, 3478, 3497, 3544, 3689, 3784, 3785, 389, 3998, 5060, 5061, 5190,
+         5222, 5223, 5228, 5432, 5500, 554, 5631, 5632, 5800, 5801, 5900, 5901, 8000, 8008, 8080, 8081, 8443, 8888, 9100,
+         9200, 9443, 10000
+       ) or source.port in (
+         20, 21, 22, 23, 25, 53, 67, 68, 69, 80, 110, 123, 137, 138, 139, 143, 161, 162, 179, 443, 445, 465, 514, 515,
+         587, 636, 989, 990, 993, 995, 1025, 1026, 1080, 1194, 1433, 1434, 1521, 1701, 1723, 1812, 1813, 2082, 2083, 2086,
+         2087, 2095, 2096, 2121, 2483, 2484, 3306, 3389, 3478, 3497, 3544, 3689, 3784, 3785, 389, 3998, 5060, 5061, 5190,
+         5222, 5223, 5228, 5432, 5500, 554, 5631, 5632, 5800, 5801, 5900, 5901, 8000, 8008, 8080, 8081, 8443, 8888, 9100,
+         9200, 9443, 10000)
+      )
+  ] by destination.ip
+  [network where event.dataset == "network_traffic.flow" and host.os.type == "linux" and event.action == "network_flow"
+    and event.type == "connection" and source.packets == 1 and flow.final == false and not (
+      cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1") or destination.port in (
+        20, 21, 22, 23, 25, 53, 67, 68, 69, 80, 110, 123, 137, 138, 139, 143, 161, 162, 179, 443, 445, 465, 514, 515,
+        587,636, 989, 990, 993, 995, 1025, 1026, 1080, 1194, 1433, 1434, 1521, 1701, 1723, 1812, 1813, 2082, 2083, 2086,
+        2087, 2095, 2096, 2121, 2483, 2484, 3306, 3389, 3478, 3497, 3544, 3689, 3784, 3785, 389, 3998, 5060, 5061, 5190,
+        5222, 5223, 5228, 5432, 5500, 554, 5631, 5632, 5800, 5801, 5900, 5901, 8000, 8008, 8080, 8081, 8443, 8888, 9100,
+        9200, 9443, 10000
+      ) or source.port in (
+        20, 21, 22, 23, 25, 53, 67, 68, 69, 80, 110, 123, 137, 138, 139, 143, 161, 162, 179, 443, 445, 465, 514, 515,
+        587, 636, 989, 990, 993, 995, 1025, 1026, 1080, 1194, 1433, 1434, 1521, 1701, 1723, 1812, 1813, 2082, 2083, 2086,
+        2087, 2095, 2096, 2121, 2483, 2484, 3306, 3389, 3478, 3497, 3544, 3689, 3784, 3785, 389, 3998, 5060, 5061, 5190,
+        5222, 5223, 5228, 5432, 5500, 554, 5631, 5632, 5800, 5801, 5900, 5901, 8000, 8008, 8080, 8081, 8443, 8888, 9100,
+        9200, 9443, 10000)
+      )
+  ] by source.ip
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[[rule.threat.technique]]
+id = "T1571"
+name = "Non-Standard Port"
+reference = "https://attack.mitre.org/techniques/T1571/"
+
+[[rule.threat.technique]]
+id = "T1205"
+name = "Traffic Signaling"
+reference = "https://attack.mitre.org/techniques/T1205/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1205.001"
+name = "Port Knocking"
+reference = "https://attack.mitre.org/techniques/T1205/001/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+