diff --git a/rules/network/command_and_control_telnet_port_activity.toml b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml similarity index 80% rename from rules/network/command_and_control_telnet_port_activity.toml rename to rules/network/command_and_control_accepted_default_telnet_port_connection.toml index 2e080d1e7..637b173c3 100644 --- a/rules/network/command_and_control_telnet_port_activity.toml +++ b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/10/20" [rule] author = ["Elastic"] @@ -11,8 +11,8 @@ description = """ This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or -backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing -the traffic. +backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the +traffic. """ false_positives = [ """ @@ -26,18 +26,31 @@ from = "now-9m" index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License v2" -name = "Telnet Port Activity" +name = "Accepted Default Telnet Port Connection" risk_score = 47 rule_id = "34fde489-94b0-4500-a76f-b8a157cf9269" severity = "medium" -tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control", "Host"] +tags = [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control", + "Host", + "Lateral Movement", + "Initial Access", +] timeline_id = "300afc76-072d-4261-864d-4149714bf3f1" timeline_title = "Comprehensive Network Timeline" timestamp_override = "event.ingested" type = "query" query = ''' -event.category:(network or network_traffic) and network.transport:tcp and destination.port:23 +event.category:(network or network_traffic) and destination.port:23 + and network.direction:(inbound or ingress or outbound or egress) + and not event.action:( + flow_dropped or denied or deny or + flow_terminated or timeout or Reject or network_flow) ''' @@ -45,30 +58,31 @@ event.category:(network or network_traffic) and network.transport:tcp and destin framework = "MITRE ATT&CK" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0011/" id = "TA0011" name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1021/" id = "T1021" name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0008/" id = "TA0008" name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1190/" id = "T1190" name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0001/" id = "TA0001" name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +