From d4c426a0221ed1b57c9b23e2f41bfca63b4dab04 Mon Sep 17 00:00:00 2001 From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Mon, 21 Mar 2022 22:46:53 +0530 Subject: [PATCH] [New Rule] cpulimit shell evasion threat (#1851) * cpulimit shell evasion threat * Update rules/linux/execution_cpulimit_binary.toml Co-authored-by: Justin Ibarra * Update rules/linux/execution_cpulimit_binary.toml Co-authored-by: Justin Ibarra Co-authored-by: Justin Ibarra (cherry picked from commit 2ab5a1f44af75c1cb7ac7db26dfa804957500483) --- rules/linux/execution_cpulimit_binary.toml | 52 ++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 rules/linux/execution_cpulimit_binary.toml diff --git a/rules/linux/execution_cpulimit_binary.toml b/rules/linux/execution_cpulimit_binary.toml new file mode 100644 index 000000000..4e47d5086 --- /dev/null +++ b/rules/linux/execution_cpulimit_binary.toml @@ -0,0 +1,52 @@ +[metadata] +creation_date = "2022/03/17" +maturity = "production" +updated_date = "2022/03/17" + +[rule] +author = ["Elastic"] +description = """ +Identifies Linux binary cpulimit abuse to break out from restricted environments by spawning an interactive system +shell. The cpulimit utility is used to restrict the CPU usage of a process in cases of CPU or system load exceeding the +defined threshold and the activity of spawning a shell is not a standard use of this binary by a user or system +administrator. This can potentially indicate a malicious actor attempting to improve the capabilities or stability of their +access. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Linux Restricted Shell Breakout via cpulimit Shell Evasion" +references = ["https://gtfobins.github.io/gtfobins/cpulimit/"] +risk_score = 47 +rule_id = "0968cfbd-40f0-4b1c-b7b1-a60736c7b241" +severity = "medium" +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +sequence by host.id, process.pid with maxspan=1m +[process where event.type == "start" and process.name == "cpulimit" and process.args == "-f" and process.args : ("/bin/sh", "/bin/bash", "/bin/dash", "sh", "bash", "dash")] +[process where process.parent.name == "cpulimit" and process.name : ("bash", "sh", "dash")] +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +