Ruben Groenewoud
646c316b66
* [New Rules] Linux Reverse Shells * [New Rules] Linux Reverse Shells * Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_java_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_java_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_java_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Delete UDP rule to add in separate PR * Update rules/linux/execution_shell_via_lolbin_interpreter_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Deleted one rule and tuned the others * Improved the rules' performance * Added the reverse_tcp rule back after tuning * Update execution_shell_via_lolbin_interpreter_linux.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
75 lines
2.8 KiB
TOML
75 lines
2.8 KiB
TOML
[metadata]
|
|
creation_date = "2022/11/14"
|
|
deprecation_date = "2023/07/04"
|
|
integration = ["endpoint"]
|
|
maturity = "deprecated"
|
|
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
|
min_stack_version = "8.3.0"
|
|
updated_date = "2023/07/04"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies a reverse shell via the abuse of named pipes on Linux with the help of OpenSSL or Netcat. First in, first out
|
|
(FIFO) files are special files for reading and writing to by Linux processes. For this to work, a named pipe is created
|
|
and passed to a Linux shell where the use of a network connection tool such as Netcat or OpenSSL has been established.
|
|
The stdout and stderr are captured in the named pipe from the network connection and passed back to the shell for
|
|
execution.
|
|
"""
|
|
false_positives = [
|
|
"""
|
|
Netcat and OpenSSL are common tools used for establishing network connections and creating encryption keys. While
|
|
they are popular, capturing the stdout and stderr in a named pipe pointed to a shell is anomalous.
|
|
""",
|
|
]
|
|
from = "now-9m"
|
|
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Reverse Shell Created via Named Pipe"
|
|
references = [
|
|
"https://int0x33.medium.com/day-43-reverse-shell-with-openssl-1ee2574aa998",
|
|
"https://blog.gregscharf.com/2021/03/22/tar-in-cronjob-to-privilege-escalation/",
|
|
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#openssl",
|
|
]
|
|
risk_score = 47
|
|
rule_id = "dd7f1524-643e-11ed-9e35-f661ea17fbcd"
|
|
severity = "medium"
|
|
tags = [
|
|
"Domain: Endpoint",
|
|
"OS: Linux",
|
|
"Use Case: Threat Detection",
|
|
"Tactic: Execution",
|
|
"Data Source: Elastic Endgame",
|
|
]
|
|
type = "eql"
|
|
|
|
query = '''
|
|
sequence by host.id with maxspan = 5s
|
|
[process where host.os.type == "linux" and event.type == "start" and process.executable : ("/usr/bin/mkfifo","/usr/bin/mknod") and process.args:("/tmp/*","$*")]
|
|
[process where host.os.type == "linux" and process.executable : ("/bin/sh","/bin/bash") and process.args:("-i") or
|
|
(process.executable: ("/usr/bin/openssl") and process.args: ("-connect"))]
|
|
[process where host.os.type == "linux" and (process.name:("nc","ncat","netcat","netcat.openbsd","netcat.traditional") or
|
|
(process.name: "openssl" and process.executable: "/usr/bin/openssl"))]
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1059"
|
|
name = "Command and Scripting Interpreter"
|
|
reference = "https://attack.mitre.org/techniques/T1059/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1059.004"
|
|
name = "Unix Shell"
|
|
reference = "https://attack.mitre.org/techniques/T1059/004/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0002"
|
|
name = "Execution"
|
|
reference = "https://attack.mitre.org/tactics/TA0002/"
|
|
|