From c9c8e3501e7504bdfd2b240c2b7cb117264ecd54 Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Fri, 3 Jan 2025 14:50:43 +0100
Subject: [PATCH] [New Rule] Unusual SSHD Child Process (#4303)

* [New Rule] Unusual SSHD Child Process

* Update persistence_unusual_sshd_child_process.toml
---
 ...ersistence_unusual_sshd_child_process.toml | 98 +++++++++++++++++++
 1 file changed, 98 insertions(+)
 create mode 100644 rules/linux/persistence_unusual_sshd_child_process.toml

diff --git a/rules/linux/persistence_unusual_sshd_child_process.toml b/rules/linux/persistence_unusual_sshd_child_process.toml
new file mode 100644
index 000000000..83eae707d
--- /dev/null
+++ b/rules/linux/persistence_unusual_sshd_child_process.toml
@@ -0,0 +1,98 @@
+[metadata]
+creation_date = "2024/12/16"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2024/12/16"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule detects the creation of an unusual SSHD child process through the usage of the `new_terms` rule type.
+Attackers may abuse SSH to maintain persistence on a compromised system, or to establish a backdoor for remote access,
+potentially resulting in an unusual SSHD child process being created.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.process*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Unusual SSHD Child Process"
+references = ["https://hadess.io/the-art-of-linux-persistence/"]
+risk_score = 47
+rule_id = "4c3c6c47-e38f-4944-be27-5c80be973bd7"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Linux",
+    "Use Case: Threat Detection",
+    "Tactic: Persistence",
+    "Data Source: Elastic Defend"
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+query = '''
+event.category:process and host.os.type:linux and event.type:start and event.action:exec and
+process.parent.name:(ssh or sshd) and process.args_count:2 and
+not process.command_line:(-bash or -zsh or -sh)
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1546"
+name = "Event Triggered Execution"
+reference = "https://attack.mitre.org/techniques/T1546/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1546.004"
+name = "Unix Shell Configuration Modification"
+reference = "https://attack.mitre.org/techniques/T1546/004/"
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1021"
+name = "Remote Services"
+reference = "https://attack.mitre.org/techniques/T1021/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1021.004"
+name = "SSH"
+reference = "https://attack.mitre.org/techniques/T1021/004/"
+
+[[rule.threat.technique]]
+id = "T1563"
+name = "Remote Service Session Hijacking"
+reference = "https://attack.mitre.org/techniques/T1563/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1563.001"
+name = "SSH Hijacking"
+reference = "https://attack.mitre.org/techniques/T1563/001/"
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["process.executable"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"