From dc05f1d8f3a67c4e7a765d886153218089227d73 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Wed, 14 Jun 2023 23:27:29 +0200 Subject: [PATCH] [New Rule] Sus Network Activity from Unknown Executable (#2856) * [New Rule] Sus Network Activity from Unknown Executable * Update command_and_control_suspicious_network_activity_from_unknown_executable.toml * Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * added endgame support, changed min stack comment * Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --- ...work_activity_from_unknown_executable.toml | 98 +++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml new file mode 100644 index 000000000..597c3bad2 --- /dev/null +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -0,0 +1,98 @@ +[metadata] +creation_date = "2023/06/14" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" +min_stack_version = "8.6.0" +updated_date = "2023/06/14" + +[rule] +author = ["Elastic"] +description = """ +This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious +directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially +malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to +unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can +help identify and mitigate potential security threats, protecting the system and its data from potential compromise. +""" +from = "now-59m" +index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*", "endgame-*"] +language = "kuery" +license = "Elastic License v2" +name = "Suspicious Network Activity to the Internet by Previously Unknown Executable" +risk_score = 21 +rule_id = "53617418-17b4-4e9c-8a2c-8deb8086ca4b" +severity = "low" +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Network", "Command and Control", "Elastic Endgame"] +timestamp_override = "event.ingested" +type = "new_terms" +query = ''' +host.os.type : "linux" and event.category : "network" and +event.action : ("connection_attempted" or "ipv4_connection_attempt_event") and +process.executable : ( + /tmp/* or /var/tmp/* or /dev/shm/* or /etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or + /etc/update-motd.d/* or /usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/* or /etc/rc.local) and +source.ip : ( + 127.0.0.0/8 or + 10.0.0.0/8 or + 172.16.0.0/12 or + 192.168.0.0/16 + ) and not destination.ip : ( + 10.0.0.0/8 or + 127.0.0.0/8 or + 169.254.0.0/16 or + 172.16.0.0/12 or + 192.0.0.0/24 or + 192.0.0.0/29 or + 192.0.0.8/32 or + 192.0.0.9/32 or + 192.0.0.10/32 or + 192.0.0.170/32 or + 192.0.0.171/32 or + 192.0.2.0/24 or + 192.31.196.0/24 or + 192.52.193.0/24 or + 192.168.0.0/16 or + 192.88.99.0/24 or + 224.0.0.0/4 or + 100.64.0.0/10 or + 192.175.48.0/24 or + 198.18.0.0/15 or + 198.51.100.0/24 or + 203.0.113.0/24 or + 240.0.0.0/4 or + "::1" or + "FE80::/10" or + "FF00::/8" + ) and not process.executable : ( + "/usr/bin/wget" or + "/usr/bin/curl" or + "/usr/bin/apt" or + "/usr/bin/dpkg" or + "/usr/bin/yum" or + "/usr/bin/rpm" or + "/usr/bin/dnf" or + "/usr/bin/dockerd" + ) +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" + +[rule.threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["destination.ip", "process.executable"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-2d"