security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Potential Reverse Shell via UDP (#3508)

Browse Source 
(cherry picked from commit a6028b43b3)
This commit is contained in:
Ruben Groenewoud
2024-03-21 13:48:41 +01:00
committed by github-actions[bot]
parent 4f0bd6e165
commit f0a06bc56b
1 changed files with 14 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/execution_shell_via_udp_cli_utility_linux.toml
+14 -16
View File
@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
maturity = "production"
min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0"
min_stack_version = "8.6.0"
updated_date = "2024/02/19"
updated_date = "2024/03/13"
[rule]
author = ["Elastic"]
@@ -71,22 +71,20 @@ timestamp_override = "event.ingested"
type = "eql"
query = '''
sample by host.id, process.pid, process.parent.pid
[process where host.os.type == "linux" and auditd.data.syscall == "execve" and process.name : (
"bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*",
"ruby", "openssl", "awk", "telnet", "lua*", "socat"
)
]
[process where host.os.type == "linux" and event.type == "start" and event.action == "executed" and process.name : (
"bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*",
"ruby", "openssl", "awk", "telnet", "lua*", "socat"
)]
[process where host.os.type == "linux" and auditd.data.syscall == "socket" and process.name : (
"bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*",
"ruby", "openssl", "awk", "telnet", "lua*", "socat"
) and
auditd.data.a0 == "2" and auditd.data.a1 : ("2", "802")]
[network where host.os.type == "linux" and auditd.data.syscall == "connect" and process.name : (
"bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*",
"ruby", "openssl", "awk", "telnet", "lua*", "socat"
) and
network.direction == "egress" and destination.ip != null and destination.ip != "127.0.0.1" and
destination.ip != "127.0.0.53" and destination.ip != "::1"]
"bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*",
"ruby", "openssl", "awk", "telnet", "lua*", "socat"
) and auditd.data.a1 == "2"]
[network where host.os.type == "linux" and event.type == "start" and event.action == "connected-to" and
process.name : (
"bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*",
"ruby", "openssl", "awk", "telnet", "lua*", "socat"
) and network.direction == "egress" and destination.ip != null and
not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")]
'''
[[rule.threat]]