Terrance DeJesus
b28338c680
* adjusted Potential Widespread Malware Infection Across Multiple Hosts * adjusted Microsoft Azure or Mail Sign-in from a Suspicious Source * adjusted AWS EC2 Multi-Region DescribeInstances API Calls * adjusted AWS Discovery API Calls via CLI from a Single Resource * adjusted AWS Service Quotas Multi-Region Requests * adjusted AWS EC2 EBS Snapshot Shared or Made Public * adjusted AWS S3 Bucket Enumeration or Brute Force * adjusted AWS EC2 EBS Snapshot Access Removed * adjusted Potential AWS S3 Bucket Ransomware Note Uploaded * adjusted AWS S3 Object Encryption Using External KMS Key * adjusted AWS S3 Static Site JavaScript File Uploaded * adjusted AWS Access Token Used from Multiple Addresses * adjusted AWS Signin Single Factor Console Login with Federated User * adjusted AWS IAM AdministratorAccess Policy Attached to Group * adjusted AWS IAM AdministratorAccess Policy Attached to Role * adjusted AWS IAM AdministratorAccess Policy Attached to User * adjusted AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session * adjusted AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session * adjusted AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request * adjusted Unusual High Confidence Content Filter Blocks Detected * adjusted Potential Abuse of Resources by High Token Count and Large Response Sizes * AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User * Unusual High Denied Sensitive Information Policy Blocks Detected * adjusted Unusual High Denied Topic Blocks Detected * adjusted AWS Bedrock Detected Multiple Validation Exception Errors by a Single User * adjusted Unusual High Word Policy Blocks Detected * adjusted Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties * adjusted Azure Entra MFA TOTP Brute Force Attempts * adjusted Microsoft Entra ID Sign-In Brute Force Activity * adjusted Microsoft Entra ID Exccessive Account Lockouts Detected * adjusted Microsoft 365 Brute Force via Entra ID Sign-Ins * deprecated Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source * adjusted Microsoft Entra ID Session Reuse with Suspicious Graph Access * adjusted Suspicious Microsoft OAuth Flow via Auth Broker to DRS * adjusted Potential Denial of Azure OpenAI ML Service * adjusted Azure OpenAI Insecure Output Handling * adjusted Potential Azure OpenAI Model Theft * adjusted M365 OneDrive Excessive File Downloads with OAuth Token * adjusted Multiple Microsoft 365 User Account Lockouts in Short Time Window * adjusted Potential Microsoft 365 User Account Brute Force * adjusted Suspicious Microsoft 365 UserLoggedIn via OAuth Code * adjusted Multiple Device Token Hashes for Single Okta Session * adjusted Multiple Okta User Authentication Events with Client Address * adjusted Multiple Okta User Authentication Events with Same Device Token Hash * adjusted High Number of Okta Device Token Cookies Generated for Authentication * adjusted Okta User Sessions Started from Different Geolocations * adjusted High Number of Egress Network Connections from Unusual Executable * adjusted Unusual Base64 Encoding/Decoding Activity * adjusted Potential Port Scanning Activity from Compromised Host * adjusted Potential Subnet Scanning Activity from Compromised Host * adjusted Unusual File Transfer Utility Launched * adjusted Potential Malware-Driven SSH Brute Force Attempt * adjusted Unusual Process Spawned from Web Server Parent * adjusted Unusual Command Execution from Web Server Parent * adjusted Rare Connection to WebDAV Target * adjusted Potential PowerShell Obfuscation via Invalid Escape Sequences * adjusted Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion * adjusted Unusual File Creation by Web Server * adjusted Potential PowerShell Obfuscation via High Special Character Proportion * adjusted Potential Malicious PowerShell Based on Alert Correlation * adjusted Potential PowerShell Obfuscation via Character Array Reconstruction * adjusted Potential PowerShell Obfuscation via String Reordering * adjusted Potential PowerShell Obfuscation via String Concatenation * adjusted Potential PowerShell Obfuscation via Reverse Keywords * adjusted PowerShell Obfuscation via Negative Index String Reversal * adjusted Dynamic IEX Reconstruction via Method String Access * adjusted Potential Dynamic IEX Reconstruction via Environment Variables * adjusted Potential PowerShell Obfuscation via High Numeric Character Proportion * adjusted Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation * adjusted Rare Connection to WebDAV Target * adjusted Potential PowerShell Obfuscation via Invalid Escape Sequences * adjusted Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion * adjusted Potential PowerShell Obfuscation via Character Array Reconstruction * adjusted Potential PowerShell Obfuscation via High Special Character Proportion * adjusted Potential PowerShell Obfuscation via Special Character Overuse * adjusted Potential PowerShell Obfuscation via String Reordering * adjusted Suspicious Microsoft 365 UserLoggedIn via OAuth Code * adjusted fields that were inconsistent * adjusted additional fields * adjusted esql to Esql * adjusted several rules for common field names * updating rules * updated dates * updated dates * updated ESQL fields * lowercase all functions and logical operators * adjusted dates for unit tests * Update Esql_priv to Esql_temp as these don't hold PII * PowerShell adjustments * Make query comments consistent * update comment * reverted 2856446a-34e6-435b-9fb5-f8f040bfa7ed * Update rules/windows/discovery_command_system_account.toml * removed dot notation --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
200 lines
10 KiB
TOML
200 lines
10 KiB
TOML
[metadata]
|
|
creation_date = "2025/03/04"
|
|
integration = ["endpoint"]
|
|
maturity = "production"
|
|
updated_date = "2025/07/16"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
This rule detects unusual processes spawned from a web server parent process by identifying low frequency counts of
|
|
process spawning activity. Unusual process spawning activity may indicate an attacker attempting to establish
|
|
persistence, execute malicious commands, or establish command and control channels on the host system. ESQL rules have
|
|
limited fields available in its alert documents. Make sure to review the original documents to aid in the investigation
|
|
of this alert.
|
|
"""
|
|
from = "now-61m"
|
|
interval = "1h"
|
|
language = "esql"
|
|
license = "Elastic License v2"
|
|
name = "Unusual Process Spawned from Web Server Parent"
|
|
note = """ ## Triage and analysis
|
|
|
|
> **Disclaimer**:
|
|
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
|
|
|
|
### Investigating Unusual Process Spawned from Web Server Parent
|
|
|
|
Web servers like Apache, Nginx, and others are crucial for hosting applications and services. Adversaries exploit these servers by spawning unauthorized processes to maintain persistence or execute malicious commands. The detection rule identifies anomalies by monitoring low-frequency process spawns from web server parents, focusing on unusual user IDs, directories, and process counts, which may indicate potential threats.
|
|
|
|
### Possible investigation steps
|
|
|
|
- Review the process.executable and process.command_line fields to understand the nature of the process that was spawned and assess if it aligns with expected behavior for the web server environment.
|
|
- Examine the process.working_directory to determine if the directory is a legitimate location for web server operations or if it appears suspicious, such as being outside typical web server directories.
|
|
- Check the user.name and user.id fields to verify if the process was executed by a legitimate web server user or if it was initiated by an unexpected or unauthorized user account.
|
|
- Investigate the process.parent.executable to confirm whether the parent process is a known and trusted web server executable or if it has been tampered with or replaced.
|
|
- Correlate the event with other logs or alerts from the same agent.id to identify any additional suspicious activities or patterns that may indicate a broader compromise.
|
|
- Assess the host.os.type to ensure the alert pertains to a Linux system, as specified in the query, and verify if there are any known vulnerabilities or misconfigurations on the host that could have been exploited.
|
|
|
|
### False positive analysis
|
|
|
|
- Processes related to legitimate web server maintenance tasks may trigger alerts. Review scheduled tasks or cron jobs that align with the alert timing and consider excluding these specific processes if they are verified as non-threatening.
|
|
- Development environments often spawn processes that mimic attack patterns. Identify and exclude processes originating from known development directories or executed by development user accounts.
|
|
- Automated scripts or monitoring tools running under web server user accounts can be mistaken for malicious activity. Verify these scripts and add exceptions for their specific process names or working directories.
|
|
- Frequent updates or deployments in web applications can lead to unusual process spawns. Document these activities and exclude related processes if they consistently match the alert criteria during known update windows.
|
|
- Custom web server modules or plugins may execute processes that appear suspicious. Validate these modules and exclude their associated processes if they are part of normal operations.
|
|
|
|
### Response and remediation
|
|
|
|
- Immediately isolate the affected host from the network to prevent further malicious activity and potential lateral movement.
|
|
- Terminate any suspicious processes identified by the alert that are not part of legitimate web server operations.
|
|
- Conduct a thorough review of the process command lines and executables flagged by the alert to identify any malicious scripts or binaries. Remove or quarantine these files as necessary.
|
|
- Check for unauthorized changes in web server configurations or files within the working directories flagged by the alert. Restore any altered files from a known good backup.
|
|
- Review user accounts and permissions associated with the web server processes to ensure no unauthorized accounts or privilege escalations have occurred. Reset passwords and revoke unnecessary access.
|
|
- Monitor network traffic from the affected host for any signs of command and control communication, and block any identified malicious IP addresses or domains.
|
|
- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised.
|
|
"""
|
|
risk_score = 47
|
|
rule_id = "976b2391-413f-4a94-acb4-7911f3803346"
|
|
setup = """## Setup
|
|
|
|
This rule requires data coming in from Elastic Defend.
|
|
|
|
### Elastic Defend Integration Setup
|
|
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
|
|
|
#### Prerequisite Requirements:
|
|
- Fleet is required for Elastic Defend.
|
|
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
|
|
|
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
|
- Go to the Kibana home page and click "Add integrations".
|
|
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
|
- Click "Add Elastic Defend".
|
|
- Configure the integration name and optionally add a description.
|
|
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
|
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
|
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
|
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
|
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
|
- Click "Save and Continue".
|
|
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
|
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
|
"""
|
|
severity = "medium"
|
|
tags = [
|
|
"Domain: Endpoint",
|
|
"OS: Linux",
|
|
"Use Case: Threat Detection",
|
|
"Tactic: Persistence",
|
|
"Tactic: Execution",
|
|
"Tactic: Command and Control",
|
|
"Data Source: Elastic Defend",
|
|
"Resources: Investigation Guide",
|
|
]
|
|
timestamp_override = "event.ingested"
|
|
type = "esql"
|
|
|
|
query = '''
|
|
from logs-endpoint.events.process-*
|
|
| keep
|
|
@timestamp,
|
|
host.os.type,
|
|
event.type,
|
|
event.action,
|
|
process.parent.name,
|
|
user.name,
|
|
user.id,
|
|
process.working_directory,
|
|
process.name,
|
|
process.executable,
|
|
process.command_line,
|
|
process.parent.executable,
|
|
agent.id,
|
|
host.name
|
|
| where
|
|
@timestamp > now() - 1 hours and
|
|
host.os.type == "linux" and
|
|
event.type == "start" and
|
|
event.action == "exec" and (
|
|
process.parent.name in (
|
|
"apache", "nginx", "apache2", "httpd", "lighttpd", "caddy", "node", "mongrel_rails", "java", "gunicorn",
|
|
"uwsgi", "openresty", "cherokee", "h2o", "resin", "puma", "unicorn", "traefik", "tornado", "hypercorn",
|
|
"daphne", "twistd", "yaws", "webfsd", "httpd.worker", "flask", "rails", "mongrel"
|
|
) or
|
|
process.parent.name like "php-*" or
|
|
process.parent.name like "python*" or
|
|
process.parent.name like "ruby*" or
|
|
process.parent.name like "perl*" or
|
|
user.name in (
|
|
"apache", "www-data", "httpd", "nginx", "lighttpd", "tomcat", "tomcat8", "tomcat9", "ftp", "ftpuser", "ftpd"
|
|
) or
|
|
user.id in ("99", "33", "498", "48") or
|
|
process.working_directory like "/var/www/*"
|
|
) and not (
|
|
process.working_directory like "/home/*" or
|
|
process.working_directory == "/" or
|
|
process.parent.executable like "/vscode/vscode-server/*"
|
|
)
|
|
| stats
|
|
Esql.event_count = count(),
|
|
Esql.agent_id_count_distinct = count_distinct(agent.id),
|
|
Esql.host_name_values = values(host.name),
|
|
Esql.agent_id_values = values(agent.id)
|
|
by process.executable, process.working_directory, process.parent.executable
|
|
| where
|
|
Esql.agent_id_count_distinct == 1 and
|
|
Esql.event_count < 5
|
|
| sort Esql.event_count asc
|
|
| limit 100
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1505"
|
|
name = "Server Software Component"
|
|
reference = "https://attack.mitre.org/techniques/T1505/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1505.003"
|
|
name = "Web Shell"
|
|
reference = "https://attack.mitre.org/techniques/T1505/003/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0003"
|
|
name = "Persistence"
|
|
reference = "https://attack.mitre.org/tactics/TA0003/"
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1059"
|
|
name = "Command and Scripting Interpreter"
|
|
reference = "https://attack.mitre.org/techniques/T1059/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1059.004"
|
|
name = "Unix Shell"
|
|
reference = "https://attack.mitre.org/techniques/T1059/004/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0002"
|
|
name = "Execution"
|
|
reference = "https://attack.mitre.org/tactics/TA0002/"
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1071"
|
|
name = "Application Layer Protocol"
|
|
reference = "https://attack.mitre.org/techniques/T1071/"
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0011"
|
|
name = "Command and Control"
|
|
reference = "https://attack.mitre.org/tactics/TA0011/"
|
|
|