security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning & New Rule] Linux Reverse Shell & DR Tuning (#3254)

Browse Source 
* [Rule Tuning & New Rule] Linux Reverse Shell

* [Tuning & New Rule] Linux Reverse Shells

* Name change

* Update rules/linux/execution_shell_via_child_tcp_utility_linux.toml

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

* Update execution_shell_via_child_tcp_utility_linux.toml

* Update execution_shell_via_background_process.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

(cherry picked from commit 84824c67fd)
This commit is contained in:
Ruben Groenewoud
2023-12-18 09:36:21 +01:00
committed by github-actions[bot]
parent 7e07c12fd8
commit ee5fa810aa
9 changed files with 185 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml → rules/_deprecated/execution_shell_suspicious_parent_child_revshell_linux.toml
+28 -20
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2023/07/04"
deprecation_date = "2023/11/02"
integration = ["endpoint"]
maturity = "production"
maturity = "deprecated"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
@@ -10,8 +11,8 @@ updated_date = "2023/11/02"
author = ["Elastic"]
description = """
This detection rule detects the creation of a shell through a suspicious parent child relationship. Any reverse shells
spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured
through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.
spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured
through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
@@ -20,12 +21,11 @@ license = "Elastic License v2"
name = "Deprecated - Potential Reverse Shell via Suspicious Parent Process"
note = "This rule was deprecated due to its addition to the umbrella `Potential Reverse Shell via Suspicious Child Process` (76e4d92b-61c1-4a95-ab61-5fd94179a1ee) rule."
references = [
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md",
]
risk_score = 47
rule_id = "4b1a807a-4e7b-414e-8cea-24bf580f6fc5"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
@@ -51,8 +51,15 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend",
]
type = "eql"
query = '''
sequence by host.id, process.parent.entity_id with maxspan=1s
[ process where host.os.type == "linux" and event.type == "start" and event.action == "fork" and (
@@ -71,33 +78,34 @@ sequence by host.id, process.parent.entity_id with maxspan=1s
destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[rule.threat.tactic]
name = "Command and Control"
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
name = "Application Layer Protocol"
id = "T1071"
reference = "https://attack.mitre.org/techniques/T1071/"
rules/linux/execution_shell_via_background_process.toml
+1 -6
View File
@@ -47,12 +47,7 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
timestamp_override = "event.ingested"
tags = ["Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend"
]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
type = "eql"
query = '''
process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
rules/linux/execution_shell_via_child_tcp_utility_linux.toml
+102
View File
@@ -0,0 +1,102 @@
[metadata]
creation_date = "2023/11/02"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/02"
[rule]
author = ["Elastic"]
description = """
This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This
activity consists of a network event that is followed by the creation of a shell process with suspicious command line
arguments. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Reverse Shell via Child"
references = [
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
]
risk_score = 47
rule_id = "2138bb70-5a5e-42fd-be5e-b38edf6a6777"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
- Go to the Kibana home page and click Add integrations.
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
- Click Add Elastic Defend.
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
- Click Save and Continue.
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=5s
[network where event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and
process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and destination.ip != null and
not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")]
[process where event.type == "start" and event.action == "exec" and
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and (
(process.args : ("-i", "-l")) or (process.parent.name == "socat" and process.parent.args : "*exec*")
)]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Command and Control"
id = "TA0011"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
name = "Application Layer Protocol"
id = "T1071"
reference = "https://attack.mitre.org/techniques/T1071/"
rules/linux/execution_shell_via_java_revshell_linux.toml
+15 -4
View File
@@ -49,7 +49,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id with maxspan=5s
@@ -57,9 +63,14 @@ sequence by host.id with maxspan=5s
process.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and
destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1"
] by process.entity_id
[process where host.os.type == "linux" and event.action == "exec" and
process.parent.executable : ("/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*") and
process.parent.args : "-jar" and process.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
[process where host.os.type == "linux" and event.action == "exec" and process.parent.executable : (
"/usr/bin/java", "/bin/java", "/usr/lib/jvm/*", "/usr/java/*"
) and process.parent.args : "-jar" and process.name in (
"bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish"
) and not process.args : (
"-xe", "/tmp/jenkins*.sh", "*/var/lib/jenkins/workspace/*", "vmstat*", "asterisk*", "mpstat*", "/usr/bin/ps*", "umask", "*yum*", "uptime -s",
"df -h . | awk '{print $2}'", "free | awk \"/Mem:/\" | awk '{print $2}'"
)
] by process.parent.entity_id
'''
rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
+3 -1
View File
@@ -76,7 +76,9 @@ sequence by host.id, process.entity_id with maxspan=1s
(process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or
(process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or
(process.name : "openssl" and process.args : "-connect") or
(process.name : ("nc", "ncat", "netcat") and process.args_count >= 3 and not process.args == "-z") or
(process.name : ("nc", "ncat", "netcat") and process.args_count >= 3 and not process.args in (
"-z", "-zv", "-vz", "-v"
)) or
(process.name : "telnet" and process.args_count >= 3)
) and process.parent.name : (
"bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*", "perl", "ruby", "lua*",
rules/linux/execution_shell_via_meterpreter_linux.toml
+6 -1
View File
@@ -60,7 +60,12 @@ However, if more advanced configuration is required to detect specific behavior,
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution"
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
rules/linux/execution_shell_via_suspicious_binary.toml
+7 -1
View File
@@ -51,7 +51,13 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id, process.entity_id with maxspan=1s
rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
+15 -9
View File
@@ -50,17 +50,23 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend"
]
type = "eql"
query = '''
sequence by host.id with maxspan=1s
[network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and
process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and
destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1"] by process.entity_id
[process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and not
process.args : "*imunify360-agent*"] by process.parent.entity_id
sequence by host.id with maxspan=5s
[network where event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and
process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and destination.ip != null and
not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] by process.entity_id
[process where event.type == "start" and event.action in ("exec", "fork") and
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and (
(process.args : ("-i", "-l")) or (process.parent.name == "socat" and process.parent.args : "*exec*")
)] by process.parent.entity_id
'''
[[rule.threat]]
rules_building_block/discovery_suspicious_which_command_execution.toml
+8 -1
View File
@@ -22,7 +22,14 @@ name = "Suspicious which Enumeration"
risk_score = 21
rule_id = "5b18eef4-842c-4b47-970f-f08d24004bde"
severity = "low"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Rule Type: BBR"]
tags = [
"Domain: Endpoint",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Discovery",
"Data Source: Elastic Defend",
"Rule Type: BBR"
]
timestamp_override = "event.ingested"
type = "eql"
building_block_type = "default"