security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e897a6760429ea46da15ebbca1609b62fd37fee9
sigma-rules/rules/linux/lateral_movement_telnet_network_activity_internal.toml
T
Brent Murphy 12577f7380 [Rule Tuning] Update network rule address blocks (#1227) 
* Update network rule address blocks
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
2021-06-15 09:22:59 -04:00

58 lines
2.2 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/04/23"
maturity = "production"
updated_date = "2021/05/26"
[rule]
author = ["Elastic"]
description = """
Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet
network connections to non-publicly routable IP addresses.
"""
false_positives = [
"""
Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions,
so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent
years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be
suspicious.
""",
]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Connection to Internal Network via Telnet"
references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"]
risk_score = 47
rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement"]
type = "eql"
query = '''
sequence by process.entity_id
[process where process.name == "telnet" and event.type == "start"]
[network where process.name == "telnet" and
cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24",
"192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32",
"192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24",
"192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24",
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1",
"FE80::/10", "FF00::/8")]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1021"
name = "Remote Services"
reference = "https://attack.mitre.org/techniques/T1021/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
Reference in New Issue View Git Blame Copy Permalink