From fd1260c10977df4228c8b73632ac241bb87af697 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Mon, 7 Nov 2022 14:00:25 -0500 Subject: [PATCH] [Rule Tuning] Tune "Telnet Port Activity" Rule for Accepted Connections Only (#2374) * adjusted query to include event action and network direction filters * adjusted rule name and file name * toml linted and tags updated Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> --- ...epted_default_telnet_port_connection.toml} | 36 +++++++++++++------ 1 file changed, 25 insertions(+), 11 deletions(-) rename rules/network/{command_and_control_telnet_port_activity.toml => command_and_control_accepted_default_telnet_port_connection.toml} (80%) diff --git a/rules/network/command_and_control_telnet_port_activity.toml b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml similarity index 80% rename from rules/network/command_and_control_telnet_port_activity.toml rename to rules/network/command_and_control_accepted_default_telnet_port_connection.toml index 2e080d1e7..637b173c3 100644 --- a/rules/network/command_and_control_telnet_port_activity.toml +++ b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/08/24" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" +updated_date = "2022/10/20" [rule] author = ["Elastic"] @@ -11,8 +11,8 @@ description = """ This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or -backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing -the traffic. +backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the +traffic. """ false_positives = [ """ @@ -26,18 +26,31 @@ from = "now-9m" index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License v2" -name = "Telnet Port Activity" +name = "Accepted Default Telnet Port Connection" risk_score = 47 rule_id = "34fde489-94b0-4500-a76f-b8a157cf9269" severity = "medium" -tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control", "Host"] +tags = [ + "Elastic", + "Host", + "Network", + "Threat Detection", + "Command and Control", + "Host", + "Lateral Movement", + "Initial Access", +] timeline_id = "300afc76-072d-4261-864d-4149714bf3f1" timeline_title = "Comprehensive Network Timeline" timestamp_override = "event.ingested" type = "query" query = ''' -event.category:(network or network_traffic) and network.transport:tcp and destination.port:23 +event.category:(network or network_traffic) and destination.port:23 + and network.direction:(inbound or ingress or outbound or egress) + and not event.action:( + flow_dropped or denied or deny or + flow_terminated or timeout or Reject or network_flow) ''' @@ -45,30 +58,31 @@ event.category:(network or network_traffic) and network.transport:tcp and destin framework = "MITRE ATT&CK" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0011/" id = "TA0011" name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1021/" id = "T1021" name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0008/" id = "TA0008" name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -reference = "https://attack.mitre.org/techniques/T1190/" id = "T1190" name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" [rule.threat.tactic] -reference = "https://attack.mitre.org/tactics/TA0001/" id = "TA0001" name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +