security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a46797b987febb8f4db8748fcee33f6eb63df1d1
sigma-rules/rules/linux/credential_access_ssh_backdoor_log.toml
T
Jonhnathan 4233fef238 [Security Content] Include "Data Source: Elastic Defend" tag (#3002) 
* win folder

* Other folders

* Update test_all_rules.py

* .

* updated missing elastic defend tags

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
2023-09-05 14:22:01 -04:00

95 lines
3.2 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/12/21"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
description = """
Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file.
Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to
enable unauthorized access or to log SSH credentials for exfiltration.
"""
false_positives = ["Updates to approved and trusted SSH executables can trigger this rule."]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Potential OpenSSH Backdoor Logging Activity"
note = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = [
"https://github.com/eset/malware-ioc/tree/master/sshdoor",
"https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf",
]
risk_score = 73
rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22"
severity = "high"
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "linux" and event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and
(
(file.name : (".*", "~*", "*~") and not file.name : (".cache", ".viminfo", ".bash_history")) or
file.extension : ("in", "out", "ini", "h", "gz", "so", "sock", "sync", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9") or
file.path :
(
"/private/etc/*--",
"/usr/share/*",
"/usr/include/*",
"/usr/local/include/*",
"/private/tmp/*",
"/private/var/tmp/*",
"/usr/tmp/*",
"/usr/share/man/*",
"/usr/local/share/*",
"/usr/lib/*.so.*",
"/private/etc/ssh/.sshd_auth",
"/usr/bin/ssd",
"/private/var/opt/power",
"/private/etc/ssh/ssh_known_hosts",
"/private/var/html/lol",
"/private/var/log/utmp",
"/private/var/lib",
"/var/run/sshd/sshd.pid",
"/var/run/nscd/ns.pid",
"/var/run/udev/ud.pid",
"/var/run/udevd.pid"
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1556"
name = "Modify Authentication Process"
reference = "https://attack.mitre.org/techniques/T1556/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1554"
name = "Compromise Client Software Binary"
reference = "https://attack.mitre.org/techniques/T1554/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink