Jonhnathan
ac01718bb6
* [Rule Tuning] Add tags to flag Sysmon-only rules * Modify tags * Revert "Modify tags" This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434. * Modify tags * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py
67 lines
2.6 KiB
TOML
67 lines
2.6 KiB
TOML
[metadata]
|
|
creation_date = "2022/11/14"
|
|
maturity = "production"
|
|
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
|
min_stack_version = "8.3.0"
|
|
updated_date = "2022/11/14"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies a reverse shell via the abuse of named pipes on Linux with the help of OpenSSL or Netcat. First in, first out
|
|
(FIFO) files are special files for reading and writing to by Linux processes. For this to work, a named pipe is created
|
|
and passed to a Linux shell where the use of a network connection tool such as Netcat or OpenSSL has been established.
|
|
The stdout and stderr are captured in the named pipe from the network connection and passed back to the shell for
|
|
execution.
|
|
"""
|
|
false_positives = [
|
|
"""
|
|
Netcat and OpenSSL are common tools used for establishing network connections and creating encryption keys. While
|
|
they are popular, capturing the stdout and stderr in a named pipe pointed to a shell is anomalous.
|
|
""",
|
|
]
|
|
from = "now-9m"
|
|
index = ["auditbeat-*", "logs-endpoint.events.*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Reverse Shell Created via Named Pipe"
|
|
references = [
|
|
"https://int0x33.medium.com/day-43-reverse-shell-with-openssl-1ee2574aa998",
|
|
"https://blog.gregscharf.com/2021/03/22/tar-in-cronjob-to-privilege-escalation/",
|
|
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#openssl",
|
|
]
|
|
risk_score = 47
|
|
rule_id = "dd7f1524-643e-11ed-9e35-f661ea17fbcd"
|
|
severity = "medium"
|
|
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Investigation Guide"]
|
|
type = "eql"
|
|
|
|
query = '''
|
|
sequence by host.id with maxspan = 5s
|
|
[process where event.type == "start" and process.executable : ("/usr/bin/mkfifo","/usr/bin/mknod") and process.args:("/tmp/*","$*")]
|
|
[process where process.executable : ("/bin/sh","/bin/bash") and process.args:("-i") or
|
|
(process.executable: ("/usr/bin/openssl") and process.args: ("-connect"))]
|
|
[process where (process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") or
|
|
(process.name: "openssl" and process.executable: "/usr/bin/openssl"))]
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1059"
|
|
name = "Command and Scripting Interpreter"
|
|
reference = "https://attack.mitre.org/techniques/T1059/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1059.004"
|
|
name = "Unix Shell"
|
|
reference = "https://attack.mitre.org/techniques/T1059/004/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0002"
|
|
name = "Execution"
|
|
reference = "https://attack.mitre.org/tactics/TA0002/"
|
|
|