From f0a06bc56bc8405ee975d961744003be8c304057 Mon Sep 17 00:00:00 2001
From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Date: Thu, 21 Mar 2024 13:48:41 +0100
Subject: [PATCH] [Rule Tuning] Potential Reverse Shell via UDP (#3508)

(cherry picked from commit a6028b43b3cd77e83615924182733c6e612c56c2)
---
 ...ution_shell_via_udp_cli_utility_linux.toml | 30 +++++++++----------
 1 file changed, 14 insertions(+), 16 deletions(-)

diff --git a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml
index cdb7c1bd3..0f609ef43 100644
--- a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml
+++ b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml
@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
 maturity = "production"
 min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0"
 min_stack_version = "8.6.0"
-updated_date = "2024/02/19"
+updated_date = "2024/03/13"
 
 [rule]
 author = ["Elastic"]
@@ -71,22 +71,20 @@ timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 sample by host.id, process.pid, process.parent.pid
-  [process where host.os.type == "linux" and auditd.data.syscall == "execve" and process.name : (
-     "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*",
-     "ruby", "openssl", "awk", "telnet", "lua*", "socat"
-   )
-  ]
+  [process where host.os.type == "linux" and event.type == "start" and event.action == "executed" and process.name : (
+    "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*",
+    "ruby", "openssl", "awk", "telnet", "lua*", "socat"
+    )]
   [process where host.os.type == "linux" and auditd.data.syscall == "socket" and process.name : (
-     "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*",
-     "ruby", "openssl", "awk", "telnet", "lua*", "socat"
-   ) and
-   auditd.data.a0 == "2" and auditd.data.a1 : ("2", "802")]
-[network where host.os.type == "linux" and auditd.data.syscall == "connect" and process.name : (
-   "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*",
-   "ruby", "openssl", "awk", "telnet", "lua*", "socat"
- ) and
- network.direction == "egress" and destination.ip != null and destination.ip != "127.0.0.1" and
- destination.ip != "127.0.0.53" and destination.ip != "::1"]
+    "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*",
+    "ruby", "openssl", "awk", "telnet", "lua*", "socat"
+    ) and auditd.data.a1 == "2"]
+  [network where host.os.type == "linux" and event.type == "start" and event.action == "connected-to" and
+   process.name : (
+    "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*",
+    "ruby", "openssl", "awk", "telnet", "lua*", "socat"
+    ) and network.direction == "egress" and destination.ip != null and
+   not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")]
 '''
 
 [[rule.threat]]