From c4fea2fc00ff37b69ce218d190b4be4d7c3b0c00 Mon Sep 17 00:00:00 2001 From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Sat, 5 Mar 2022 01:16:19 +0530 Subject: [PATCH] [New Rule] Linux Restricted Shell Breakout via the Vi command (#1809) * new:rule:issue-1808 vi shell evasion threat * Update rules/linux/defense_evasion_vi_binary.toml * Update rules/linux/defense_evasion_vi_binary.toml Co-authored-by: Justin Ibarra * new:rule:issue-1808 vi shell evasion threat * new:rule:issue-1808 vi shell evasion threat * new:rule:issue-1808 vi shell evasion threat * Update rules/linux/defense_evasion_vi_binary.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra (cherry picked from commit 2a82f18e437f598651143aa6719162589eebd31f) --- rules/linux/defense_evasion_vi_binary.toml | 67 ++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 rules/linux/defense_evasion_vi_binary.toml diff --git a/rules/linux/defense_evasion_vi_binary.toml b/rules/linux/defense_evasion_vi_binary.toml new file mode 100644 index 000000000..2f3a714e1 --- /dev/null +++ b/rules/linux/defense_evasion_vi_binary.toml @@ -0,0 +1,67 @@ +[metadata] +creation_date = "2022/03/03" +maturity = "production" +updated_date = "2022/03/03" + +[rule] +author = ["Elastic"] +description = """ +Identifies Linux binary find abuse to break out from restricted environments by spawning an interactive system shell. +This activity is not standard use with this binary for a user or system administrator and could potentially indicate +malicious actor attempting to improve the capabilities or stability of their access." +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Linux Restricted Shell Breakout via the vi command" +references = ["https://gtfobins.github.io/gtfobins/vi/"] +risk_score = 47 +rule_id = "89583d1b-3c2e-4606-8b74-0a9fd2248e88" +severity = "medium" +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "GTFOBins"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +sequence by host.id,process.pid with maxspan=1m +[process where process.name == "vi" and process.args : "-c" and process.args : (":!/bin/bash", ":!/bin/sh", ":!bash", ":!sh")] +[process where process.parent.name == "vi" and process.name : ("bash", "sh")] +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.004" +name = "Elevated Execution with Prompt" +reference = "https://attack.mitre.org/techniques/T1548/004/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +