security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
645a0cd67b97866a8f54ddda216d3ddad58e136e
sigma-rules/rules/linux/credential_access_ssh_backdoor_log.toml
T
Justin Ibarra 645a0cd67b [Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules (#945) 
* [Rule Tuning] Add timestamp_override field to rules
* add tests for lookback and timestamp_override
* fix dates and add test to ensure updated > creation
2021-02-17 19:49:58 -09:00

88 lines
2.5 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/12/21"
maturity = "production"
updated_date = "2021/02/11"
[rule]
author = ["Elastic"]
description = """
Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file.
Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to
enable unauthorized access or to log SSH credentials for exfiltration.
"""
false_positives = ["Updates to approved and trusted SSH executables can trigger this rule."]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License"
name = "Potential OpenSSH Backdoor Logging Activity"
references = [
"https://github.com/eset/malware-ioc/tree/master/sshdoor",
"https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf",
]
risk_score = 73
rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22"
severity = "high"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Credential Access"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and
(
file.name : (".*", "~*") or
file.extension : ("in", "out", "ini", "h", "gz", "so", "sock", "sync", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9") or
file.path :
(
"/private/etc/*--",
"/usr/share/*",
"/usr/include/*",
"/usr/local/include/*",
"/private/tmp/*",
"/private/var/tmp/*",
"/usr/tmp/*",
"/usr/share/man/*",
"/usr/local/share/*",
"/usr/lib/*.so.*",
"/private/etc/ssh/.sshd_auth",
"/usr/bin/ssd",
"/private/var/opt/power",
"/private/etc/ssh/ssh_known_hosts",
"/private/var/html/lol",
"/private/var/log/utmp",
"/private/var/lib",
"/var/run/sshd/sshd.pid",
"/var/run/nscd/ns.pid",
"/var/run/udev/ud.pid",
"/var/run/udevd.pid"
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1556"
name = "Modify Authentication Process"
reference = "https://attack.mitre.org/techniques/T1556/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1554"
name = "Compromise Client Software Binary"
reference = "https://attack.mitre.org/techniques/T1554/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink