security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Unusual SSHD Child Process (#4303)

Browse Source 
* [New Rule] Unusual SSHD Child Process

* Update persistence_unusual_sshd_child_process.toml
This commit is contained in:
Ruben Groenewoud
2025-01-03 14:50:43 +01:00
committed by GitHub
parent c7fe940206
commit c9c8e3501e
1 changed files with 98 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/persistence_unusual_sshd_child_process.toml
+98
View File
@@ -0,0 +1,98 @@
[metadata]
creation_date = "2024/12/16"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/12/16"
[rule]
author = ["Elastic"]
description = """
This rule detects the creation of an unusual SSHD child process through the usage of the `new_terms` rule type.
Attackers may abuse SSH to maintain persistence on a compromised system, or to establish a backdoor for remote access,
potentially resulting in an unusual SSHD child process being created.
"""
from = "now-9m"
index = ["logs-endpoint.events.process*"]
language = "kuery"
license = "Elastic License v2"
name = "Unusual SSHD Child Process"
references = ["https://hadess.io/the-art-of-linux-persistence/"]
risk_score = 47
rule_id = "4c3c6c47-e38f-4944-be27-5c80be973bd7"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Elastic Defend"
]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.category:process and host.os.type:linux and event.type:start and event.action:exec and
process.parent.name:(ssh or sshd) and process.args_count:2 and
not process.command_line:(-bash or -zsh or -sh)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.004"
name = "Unix Shell Configuration Modification"
reference = "https://attack.mitre.org/techniques/T1546/004/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[[rule.threat.technique.subtechnique]]
id = "T1021.004"
name = "SSH"
reference = "https://attack.mitre.org/techniques/T1021/004/"
[[rule.threat.technique]]
id = "T1563"
name = "Remote Service Session Hijacking"
reference = "https://attack.mitre.org/techniques/T1563/"
[[rule.threat.technique.subtechnique]]
id = "T1563.001"
name = "SSH Hijacking"
reference = "https://attack.mitre.org/techniques/T1563/001/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[rule.new_terms]
field = "new_terms_fields"
value = ["process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-14d"