security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b8116a5b7703555b40351a59c8bb72a23be87f16
sigma-rules/rules/linux/credential_access_ssh_backdoor_log.toml
T
Samirbous 732770e855 [New Rule] Potential OpenSSH Backdoor Logging Activity (#749) 
* [New Rule] Known SSH Backdoor Logging File

* updated query to common patterns

* updated rule name

* relinted

* added extra path

* renamed

* adjusted some filepaths

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added kobalos OpenSSH credential stealer

added kobalos SSH credential stealer default logs file as reported by ESET this week https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf

* relinted

* adjusted MITRE technique

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/credential_access_ssh_backdoor_log.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
2021-02-05 21:27:15 +01:00

86 lines
2.5 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/12/21"
maturity = "production"
updated_date = "2020/12/21"
[rule]
author = ["Elastic"]
description = """
Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file.
Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to
enable unauthorized access or to log SSH credentials for exfiltration.
"""
false_positives = ["Updates to approved and trusted SSH executables can trigger this rule."]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License"
name = "Potential OpenSSH Backdoor Logging Activity"
references = [
"https://github.com/eset/malware-ioc/tree/master/sshdoor",
"https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf",
]
risk_score = 73
rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22"
severity = "high"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Credential Access"]
type = "eql"
query = '''
file where event.type == "change" and process.executable : ("/usr/sbin/sshd", "/usr/bin/ssh") and
(
file.name : (".*", "~*") or
file.extension : ("in", "out", "ini", "h", "gz", "so", "sock", "sync", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9") or
file.path :
(
"/private/etc/*--",
"/usr/share/*",
"/usr/include/*",
"/usr/local/include/*",
"/private/tmp/*",
"/private/var/tmp/*",
"/usr/tmp/*",
"/usr/share/man/*",
"/usr/local/share/*",
"/usr/lib/*.so.*",
"/private/etc/ssh/.sshd_auth",
"/usr/bin/ssd",
"/private/var/opt/power",
"/private/etc/ssh/ssh_known_hosts",
"/private/var/html/lol",
"/private/var/log/utmp",
"/private/var/lib",
"/var/run/sshd/sshd.pid",
"/var/run/nscd/ns.pid",
"/var/run/udev/ud.pid",
"/var/run/udevd.pid"
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1556"
name = "Modify Authentication Process"
reference = "https://attack.mitre.org/techniques/T1556/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1554"
name = "Compromise Client Software Binary"
reference = "https://attack.mitre.org/techniques/T1554/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink