security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6527eb050063953e4e8a840ad93890258ff7eb09
sigma-rules/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml
T
Ruben Groenewoud dbd7ed65a9 [Tuning] Reverse Shell Rules (#2959) 
* [Rule Tuning] Reverse Shell Rule destination.ip tuning

* Updated updated_date
2023-07-25 14:55:56 +02:00

77 lines
2.9 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/07/04"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/07/25"
[rule]
author = ["Elastic"]
description = """
This detection rule detects the creation of a shell through a suspicious parent child relationship. Any reverse shells
spawned by the specified utilities that use a forked process to initialize the connection attempt will be captured
through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Reverse Shell via Suspicious Parent Process"
references = [
"https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"
]
risk_score = 47
rule_id = "4b1a807a-4e7b-414e-8cea-24bf580f6fc5"
severity = "medium"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
type = "eql"
query = '''
sequence by host.id, process.parent.entity_id with maxspan=1s
[ process where host.os.type == "linux" and event.type == "start" and event.action == "fork" and (
(process.name : "python*" and process.args : "-c") or
(process.name : "php*" and process.args : "-r") or
(process.name : "perl" and process.args : "-e") or
(process.name : "ruby" and process.args : ("-e", "-rsocket")) or
(process.name : "lua*" and process.args : "-e") or
(process.name : "openssl" and process.args : "-connect") or
(process.name : ("nc", "ncat", "netcat") and process.args_count >= 3) or
(process.name : "telnet" and process.args_count >= 3) or
(process.name : "awk")) and
process.parent.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") ]
[ network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and
process.name : ("python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk") and
destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Execution"
id = "TA0002"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
name = "Command and Control"
id = "TA0011"
reference = "https://attack.mitre.org/tactics/TA0011/"
[[rule.threat.technique]]
name = "Application Layer Protocol"
id = "T1071"
reference = "https://attack.mitre.org/techniques/T1071/"
Reference in New Issue View Git Blame Copy Permalink