[Rule tuning] Linux binary(s) shell evasion threat
* Linux binary(s) git shell evasion threat
This commit is contained in:
shashank-elastic
@@ -1,12 +1,12 @@
|
||||
[metadata]
|
||||
creation_date = "2022/05/06"
|
||||
maturity = "production"
|
||||
updated_date = "2022/05/09"
|
||||
updated_date = "2022/05/25"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies Linux binary(s) abuse to breakout out of restricted shells or environments by spawning an interactive system
|
||||
Identifies Linux binary(s) abuse to breakout of restricted shells or environments by spawning an interactive system
|
||||
shell. The linux utility(s) activity of spawning shell is not a standard use of the binary for a user or system
|
||||
administrator. It may indicates an attempt to improve the capabilities or stability of an adversary access.
|
||||
"""
|
||||
@@ -15,6 +15,57 @@ index = ["logs-endpoint.events.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Linux Restricted Shell Breakout via Linux Binary(s)"
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating Shell Evasion via Linux Utilities
|
||||
Detection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or
|
||||
environments by spawning an interactive system shell.
|
||||
Here are some possible avenues of investigation:
|
||||
- Examine the entry point to the host and user in action via the Analyse View.
|
||||
- Identify the session entry leader and session user
|
||||
- Examine the contents of session leading to the abuse via the Session View.
|
||||
- Examine the command execution pattern in the session, which may lead to suspricous activities
|
||||
- Examine the execution of commands in the spawned shell.
|
||||
- Identify imment threat to the system from the executed commands
|
||||
- Take necessary incident response actions to contain any malicious behviour caused via this execution.
|
||||
|
||||
### Related rules
|
||||
|
||||
- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.
|
||||
- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment
|
||||
|
||||
### Response and remediation
|
||||
|
||||
Initiate the incident response process based on the outcome of the triage.
|
||||
|
||||
- If the triage releaved suspicious netwrok activity from the malicious spawned shell,
|
||||
- Isolate the involved host to prevent further post-compromise behavior.
|
||||
- If the triage identified malware execution via the maliciously spawned shell,
|
||||
- Search the environment for additional compromised hosts.
|
||||
- Implement temporary network rules, procedures, and segmentation to contain the malware.
|
||||
- Stop suspicious processes.
|
||||
- Immediately block the identified indicators of compromise (IoCs).
|
||||
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
|
||||
attackers could use to reinfect the system.
|
||||
- If the triage revelaed defence evasion for imparing defenses
|
||||
- Isolate the involved host to prevent further post-compromise behavior.
|
||||
- Identified the disabled security guard components on the host and take necessary steps in renebaling the same.
|
||||
- If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.
|
||||
- If the triage revelaed addition of persistence mechanism exploit like auto start scripts
|
||||
- Isolate further login to the systems that can initae auto start scripts.
|
||||
- Identify the auto start scripts and disable and remove the same from the systems
|
||||
- If the triage revealed data crawling or data export via remote copy
|
||||
- Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling
|
||||
- Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.
|
||||
- Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.
|
||||
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
|
||||
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
|
||||
mean time to respond (MTTR).
|
||||
|
||||
## Config
|
||||
|
||||
The session view analysis for the command alerted is avalible in versions 8.2 and above.
|
||||
"""
|
||||
references = [
|
||||
"https://gtfobins.github.io/gtfobins/apt/",
|
||||
"https://gtfobins.github.io/gtfobins/apt-get/",
|
||||
@@ -39,6 +90,7 @@ references = [
|
||||
"https://gtfobins.github.io/gtfobins/vim/",
|
||||
"https://gtfobins.github.io/gtfobins/capsh/",
|
||||
"https://gtfobins.github.io/gtfobins/byebug/",
|
||||
"https://gtfobins.github.io/gtfobins/git/",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "52376a86-ee86-4967-97ae-1a05f55816f0"
|
||||
@@ -55,7 +107,7 @@ process where event.type == "start" and
|
||||
|
||||
/* launching shells from unusual parents or parent+arg combos */
|
||||
(process.name in ("bash", "sh", "dash","ash") and
|
||||
(process.parent.name == "byebug") or
|
||||
(process.parent.name in ("byebug","git")) or
|
||||
|
||||
/* shells specified in parent args */
|
||||
/* nice rule is broken in 8.2 */
|
||||
@@ -101,3 +153,4 @@ reference = "https://attack.mitre.org/techniques/T1059/004/"
|
||||
id = "TA0002"
|
||||
name = "Execution"
|
||||
reference = "https://attack.mitre.org/tactics/TA0002/"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user