security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1a4510c9d4d1586d367e480db8fa42577f014ad3
sigma-rules/rules/linux/execution_reverse_shell_via_named_pipe.toml
T
Jonhnathan 77c8665f11 [Rule Tuning] Add endgame support for Linux Rules (#2436) 
* [Rule Tuning] Add endgame support for Linux Rules

* [Rule Tuning] Add endgame support for Linux Rules

* .

* Update persistence_insmod_kernel_module_load.toml
2023-01-23 20:53:15 -03:00

68 lines
2.7 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2022/11/14"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/20"
[rule]
author = ["Elastic"]
description = """
Identifies a reverse shell via the abuse of named pipes on Linux with the help of OpenSSL or Netcat. First in, first out
(FIFO) files are special files for reading and writing to by Linux processes. For this to work, a named pipe is created
and passed to a Linux shell where the use of a network connection tool such as Netcat or OpenSSL has been established.
The stdout and stderr are captured in the named pipe from the network connection and passed back to the shell for
execution.
"""
false_positives = [
"""
Netcat and OpenSSL are common tools used for establishing network connections and creating encryption keys. While
they are popular, capturing the stdout and stderr in a named pipe pointed to a shell is anomalous.
""",
]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Reverse Shell Created via Named Pipe"
references = [
"https://int0x33.medium.com/day-43-reverse-shell-with-openssl-1ee2574aa998",
"https://blog.gregscharf.com/2021/03/22/tar-in-cronjob-to-privilege-escalation/",
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#openssl",
]
risk_score = 47
rule_id = "dd7f1524-643e-11ed-9e35-f661ea17fbcd"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"]
type = "eql"
query = '''
sequence by host.id with maxspan = 5s
[process where event.type == "start" and process.executable : ("/usr/bin/mkfifo","/usr/bin/mknod") and process.args:("/tmp/*","$*")]
[process where process.executable : ("/bin/sh","/bin/bash") and process.args:("-i") or
(process.executable: ("/usr/bin/openssl") and process.args: ("-connect"))]
[process where (process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") or
(process.name: "openssl" and process.executable: "/usr/bin/openssl"))]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
Reference in New Issue View Git Blame Copy Permalink