[metadata] creation_date = "2023/07/04" integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2023/07/25" [rule] author = ["Elastic"] description = """ This detection rule detects the creation of a shell through a suspicious parent child relationship. Any reverse shells spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system. """ from = "now-9m" index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell via Suspicious Parent Process" references = [ "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" ] risk_score = 47 rule_id = "4b1a807a-4e7b-414e-8cea-24bf580f6fc5" severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] type = "eql" query = ''' sequence by host.id, process.parent.entity_id with maxspan=1s [ process where host.os.type == "linux" and event.type == "start" and event.action == "fork" and ( (process.name : "python*" and process.args : "-c") or (process.name : "php*" and process.args : "-r") or (process.name : "perl" and process.args : "-e") or (process.name : "ruby" and process.args : ("-e", "-rsocket")) or (process.name : "lua*" and process.args : "-e") or (process.name : "openssl" and process.args : "-connect") or (process.name : ("nc", "ncat", "netcat") and process.args_count >= 3) or (process.name : "telnet" and process.args_count >= 3) or (process.name : "awk")) and process.parent.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ] [ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") and destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ] ''' [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] name = "Execution" id = "TA0002" reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] id = "T1059.004" name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" [[rule.threat]] framework = "MITRE ATT&CK" [rule.threat.tactic] name = "Command and Control" id = "TA0011" reference = "https://attack.mitre.org/tactics/TA0011/" [[rule.threat.technique]] name = "Application Layer Protocol" id = "T1071" reference = "https://attack.mitre.org/techniques/T1071/"