[New Rule] Sus Network Activity from Unknown Executable (#2856)

* [New Rule] Sus Network Activity from Unknown Executable * Update command_and_control_suspicious_network_activity_from_unknown_executable.toml * Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * added endgame support, changed min stack comment * Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2023-06-14 23:27:29 +02:00
parent b4a218ed1c
commit dc05f1d8f3
1 changed files with 98 additions and 0 deletions
@@ -0,0 +1,98 @@
+[metadata]
+creation_date = "2023/06/14"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
+min_stack_version = "8.6.0"
+updated_date = "2023/06/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious
+directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially 
+malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to 
+unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can 
+help identify and mitigate potential security threats, protecting the system and its data from potential compromise.
+"""
+from = "now-59m"
+index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*", "endgame-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Suspicious Network Activity to the Internet by Previously Unknown Executable"
+risk_score = 21
+rule_id = "53617418-17b4-4e9c-8a2c-8deb8086ca4b"
+severity = "low"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Network", "Command and Control", "Elastic Endgame"]
+timestamp_override = "event.ingested"
+type = "new_terms"
+query = '''
+host.os.type : "linux" and event.category : "network" and 
+event.action : ("connection_attempted" or "ipv4_connection_attempt_event") and 
+process.executable : ( 
+  /tmp/* or /var/tmp/* or /dev/shm/* or /etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or 
+  /etc/update-motd.d/* or /usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/* or /etc/rc.local) and
+source.ip : (
+  127.0.0.0/8 or
+  10.0.0.0/8 or
+  172.16.0.0/12 or
+  192.168.0.0/16 
+  ) and not destination.ip : (
+  10.0.0.0/8 or
+  127.0.0.0/8 or
+  169.254.0.0/16 or
+  172.16.0.0/12 or
+  192.0.0.0/24 or
+  192.0.0.0/29 or
+  192.0.0.8/32 or
+  192.0.0.9/32 or
+  192.0.0.10/32 or
+  192.0.0.170/32 or
+  192.0.0.171/32 or
+  192.0.2.0/24 or
+  192.31.196.0/24 or
+  192.52.193.0/24 or
+  192.168.0.0/16 or
+  192.88.99.0/24 or
+  224.0.0.0/4 or
+  100.64.0.0/10 or
+  192.175.48.0/24 or
+  198.18.0.0/15 or
+  198.51.100.0/24 or
+  203.0.113.0/24 or
+  240.0.0.0/4 or
+  "::1" or
+  "FE80::/10" or
+  "FF00::/8"
+  ) and not process.executable : (
+  "/usr/bin/wget" or
+  "/usr/bin/curl" or 
+  "/usr/bin/apt" or 
+  "/usr/bin/dpkg" or 
+  "/usr/bin/yum" or
+  "/usr/bin/rpm" or
+  "/usr/bin/dnf" or
+  "/usr/bin/dockerd"
+  )
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["destination.ip", "process.executable"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-2d"