From e30dc312e43b254da008ef71a2e416b3cc35b5b2 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 5 Sep 2024 20:13:32 +0100 Subject: [PATCH] [Tuning] Potential Execution via XZBackdoor (#4053) * Update persistence_suspicious_ssh_execution_xzbackdoor.toml * Update persistence_suspicious_ssh_execution_xzbackdoor.toml --- .../persistence_suspicious_ssh_execution_xzbackdoor.toml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml index 77654c11f..5273d85f3 100644 --- a/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml +++ b/rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml @@ -2,7 +2,7 @@ creation_date = "2024/04/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/03" [rule] author = ["Elastic"] @@ -36,7 +36,9 @@ sequence by host.id, user.id with maxspan=1s [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "sshd" and process.args == "-D" and process.args == "-R"] by process.pid, process.entity_id [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name == "sshd" and - process.executable != "/usr/sbin/sshd"] by process.parent.pid, process.parent.entity_id + process.executable != null and + not process.executable in ("/usr/sbin/sshd", "/usr/sbin/unix_chkpwd", "/usr/bin/google_authorized_keys", "/usr/bin/fipscheck") and + process.command_line != "sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new"] by process.parent.pid, process.parent.entity_id [process where host.os.type == "linux" and event.action == "end" and process.name == "sshd" and process.exit_code != 0] by process.pid, process.entity_id [network where host.os.type == "linux" and event.type == "end" and event.action == "disconnect_received" and process.name == "sshd"] by process.pid, process.entity_id '''