From c215ef6e2bf98631ef6d2861e9c2eba40d51b7c4 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Mon, 18 Dec 2023 17:02:40 +0100 Subject: [PATCH] [Security Content] Add Investigation Guides to Linux C2 Rules (#3247) * [Security Content] Add Investigation Guides to Linux C2 Rules * Applied feedback Removed changes from: - rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml (selectively cherry picked from commit 91a757a018ddde5ee19b1f2579f7e9cbfe51d7f8) --- ...mand_and_control_cat_network_activity.toml | 96 ++++++++++++++++- ..._control_linux_chisel_client_activity.toml | 99 ++++++++++++++++- ..._control_linux_chisel_server_activity.toml | 99 ++++++++++++++++- ...linux_suspicious_proxychains_activity.toml | 101 +++++++++++++++++- ...l_linux_tunneling_and_port_forwarding.toml | 101 +++++++++++++++++- ...d_and_control_tunneling_via_earthworm.toml | 101 ++++++++++++++++-- ...nd_control_linux_proxychains_activity.toml | 97 ++++++++++++++++- ..._and_control_linux_ssh_x11_forwarding.toml | 93 +++++++++++++++- ...nd_and_control_non_standard_http_port.toml | 93 +++++++++++++++- 9 files changed, 846 insertions(+), 34 deletions(-) diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml index d576b75ea4b..1a3e102fa97 100644 --- a/rules/linux/command_and_control_cat_network_activity.toml +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -6,6 +6,31 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s min_stack_version = "8.3.0" updated_date = "2023/11/02" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve Listening Ports" +query = "SELECT pid, address, port, socket, protocol, path FROM listening_ports" + +[[transform.osquery]] +label = "Osquery - Retrieve Open Sockets" +query = "SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets" + +[[transform.osquery]] +label = "Osquery - Retrieve Information for a Specific User" +query = "SELECT * FROM users WHERE username = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Investigate the Account Authentication Status" +query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Retrieve Running Processes by User" +query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + +[[transform.osquery]] +label = "Osquery - Retrieve Process Info" +query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ @@ -19,11 +44,67 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Network Activity Detected via cat" +note = """## Triage and analysis + +### Investigating Network Activity Detected via cat + +Attackers may leverage the `cat` utility in conjunction with a listener to read all bytes of a file, and output the content to a `/dev/tcp` or `/dev/udp` channel to transfer/exfiltrate file contents to a remote system. + +This rule looks for a sequence of a `cat` execution event followed by a network connection attempt by the same `cat` process. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible investigation steps + +- Identify any signs of suspicious network activity or anomalies that may indicate command and control activity or data exfiltration. This could include unexpected traffic patterns or unusual network behavior. + - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration. + - $osquery_0 + - $osquery_1 +- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - $osquery_2 +- Investigate whether the user is currently logged in and active. + - $osquery_3 +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - $osquery_4 + - $osquery_5 +- Investigate other alerts associated with the user/host during the past 48 hours. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + +### Related rules + +- Suspicious Network Activity to the Internet by Previously Unknown Executable - 53617418-17b4-4e9c-8a2c-8deb8086ca4b + +### False positive analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" risk_score = 47 rule_id = "afd04601-12fc-4149-9b78-9c3f8fe45d39" -setup = """ - -This rule requires data coming in from Elastic Defend. +setup = """This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. @@ -45,10 +126,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s diff --git a/rules/linux/command_and_control_linux_chisel_client_activity.toml b/rules/linux/command_and_control_linux_chisel_client_activity.toml index 141d9107158..b137cb29055 100644 --- a/rules/linux/command_and_control_linux_chisel_client_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_client_activity.toml @@ -6,6 +6,31 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s min_stack_version = "8.3.0" updated_date = "2023/11/02" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve Listening Ports" +query = "SELECT pid, address, port, socket, protocol, path FROM listening_ports" + +[[transform.osquery]] +label = "Osquery - Retrieve Open Sockets" +query = "SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets" + +[[transform.osquery]] +label = "Osquery - Retrieve Information for a Specific User" +query = "SELECT * FROM users WHERE username = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Investigate the Account Authentication Status" +query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Retrieve Running Processes by User" +query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + +[[transform.osquery]] +label = "Osquery - Retrieve Process Info" +query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ @@ -20,15 +45,74 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Protocol Tunneling via Chisel Client" +note = """## Triage and analysis + +### Investigating Potential Protocol Tunneling via Chisel Client + +Attackers can leverage `chisel` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems. + +This rule looks for a sequence of command line arguments that are consistent with `chisel` client tunneling behavior, followed by a network event by an uncommon process. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible investigation steps + +- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior. + - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration. + - $osquery_0 + - $osquery_1 +- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - $osquery_2 +- Investigate whether the user is currently logged in and active. + - $osquery_3 +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - $osquery_4 + - $osquery_5 +- Investigate other alerts associated with the user/host during the past 48 hours. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + +### Related rules + +- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f +- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e +- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769 + +### False positive analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator or developer who uses port tunneling for benign purposes, consider adding exceptions for specific user accounts or hosts. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" references = [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" ] risk_score = 47 rule_id = "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd" -setup = """ - -This rule requires data coming in from Elastic Defend. +setup = """This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. @@ -50,10 +134,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s diff --git a/rules/linux/command_and_control_linux_chisel_server_activity.toml b/rules/linux/command_and_control_linux_chisel_server_activity.toml index e979d04e412..e89c8656a53 100644 --- a/rules/linux/command_and_control_linux_chisel_server_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_server_activity.toml @@ -6,6 +6,31 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s min_stack_version = "8.3.0" updated_date = "2023/11/02" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve Listening Ports" +query = "SELECT pid, address, port, socket, protocol, path FROM listening_ports" + +[[transform.osquery]] +label = "Osquery - Retrieve Open Sockets" +query = "SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets" + +[[transform.osquery]] +label = "Osquery - Retrieve Information for a Specific User" +query = "SELECT * FROM users WHERE username = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Investigate the Account Authentication Status" +query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Retrieve Running Processes by User" +query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + +[[transform.osquery]] +label = "Osquery - Retrieve Process Info" +query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ @@ -20,15 +45,74 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Protocol Tunneling via Chisel Server" +note = """## Triage and analysis + +### Investigating Potential Protocol Tunneling via Chisel Server + +Attackers can leverage `chisel` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems. + +This rule looks for a sequence of command line arguments that are consistent with `chisel` server tunneling behavior, followed by a network event by an uncommon process. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible investigation steps + +- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior. + - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration. + - $osquery_0 + - $osquery_1 +- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - $osquery_2 +- Investigate whether the user is currently logged in and active. + - $osquery_3 +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - $osquery_4 + - $osquery_5 +- Investigate other alerts associated with the user/host during the past 48 hours. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + +### Related rules + +- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd +- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e +- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769 + +### False positive analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator or developer who uses port tunneling for benign purposes, consider adding exceptions for specific user accounts or hosts. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" references = [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" ] risk_score = 47 rule_id = "ac8805f6-1e08-406c-962e-3937057fa86f" -setup = """ - -This rule requires data coming in from Elastic Defend. +setup = """This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. @@ -50,10 +134,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ] type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1m diff --git a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml index 1a731d9f0c4..78c72ee89a9 100644 --- a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml @@ -6,6 +6,31 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s min_stack_version = "8.3.0" updated_date = "2023/11/02" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve Listening Ports" +query = "SELECT pid, address, port, socket, protocol, path FROM listening_ports" + +[[transform.osquery]] +label = "Osquery - Retrieve Open Sockets" +query = "SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets" + +[[transform.osquery]] +label = "Osquery - Retrieve Information for a Specific User" +query = "SELECT * FROM users WHERE username = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Investigate the Account Authentication Status" +query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Retrieve Running Processes by User" +query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + +[[transform.osquery]] +label = "Osquery - Retrieve Process Info" +query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ @@ -19,12 +44,73 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Utility Launched via ProxyChains" +note = """## Triage and analysis + +### Investigating Suspicious Utility Launched via ProxyChains + +Attackers can leverage `proxychains` to obfuscate their origin and bypass network defenses by routing their malicious traffic through multiple intermediary servers. + +This rule looks for a list of suspicious processes spawned through `proxychains` by analyzing process command line arguments. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible investigation steps + +- Identify any signs of suspicious network activity or anomalies that may indicate network obfuscation. This could include unexpected traffic patterns or unusual network behavior. + - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration. + - $osquery_0 + - $osquery_1 +- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - $osquery_2 +- Investigate whether the user is currently logged in and active. + - $osquery_3 +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - $osquery_4 + - $osquery_5 +- Investigate other alerts associated with the user/host during the past 48 hours. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + +### Related rules + +- ProxyChains Activity - 4b868f1f-15ff-4ba3-8c11-d5a7a6356d37 +- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd +- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f +- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e +- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769 + +### False positive analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator or developer who uses this utility for benign purposes, consider adding exceptions for specific user accounts or hosts. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" references = ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"] risk_score = 21 rule_id = "6ace94ba-f02c-4d55-9f53-87d99b6f9af4" -setup = """ - -This rule requires data coming in from Elastic Defend. +setup = """This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. @@ -46,10 +132,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml index 14b75139e0d..ba323098796 100644 --- a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml +++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml @@ -6,6 +6,31 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s min_stack_version = "8.3.0" updated_date = "2023/11/02" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve Listening Ports" +query = "SELECT pid, address, port, socket, protocol, path FROM listening_ports" + +[[transform.osquery]] +label = "Osquery - Retrieve Open Sockets" +query = "SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets" + +[[transform.osquery]] +label = "Osquery - Retrieve Information for a Specific User" +query = "SELECT * FROM users WHERE username = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Investigate the Account Authentication Status" +query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Retrieve Running Processes by User" +query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + +[[transform.osquery]] +label = "Osquery - Retrieve Process Info" +query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ @@ -18,15 +43,76 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Linux Tunneling and/or Port Forwarding" +note = """## Triage and analysis + +### Investigating Potential Linux Tunneling and/or Port Forwarding + +Attackers can leverage many utilities to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems. + +This rule looks for several utilities that are capable of setting up tunnel network communications by analyzing process names or command line arguments. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible investigation steps + +- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior. + - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration. + - $osquery_0 + - $osquery_1 +- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - $osquery_2 +- Investigate whether the user is currently logged in and active. + - $osquery_3 +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - $osquery_4 + - $osquery_5 +- Investigate other alerts associated with the user/host during the past 48 hours. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + +### Related rules + +- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd +- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f +- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769 +- Suspicious Utility Launched via ProxyChains - 6ace94ba-f02c-4d55-9f53-87d99b6f9af4 +- ProxyChains Activity - 4b868f1f-15ff-4ba3-8c11-d5a7a6356d37 + +### False positive analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator or developer who uses port tunneling/forwarding for benign purposes, consider adding exceptions for specific user accounts or hosts. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" references = [ "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" ] risk_score = 47 rule_id = "6ee947e9-de7e-4281-a55d-09289bdf947e" -setup = """ - -This rule requires data coming in from Elastic Defend. +setup = """This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. @@ -48,10 +134,15 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - Click "Save and Continue". - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). - """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index 9c14393975c..34e0666b326 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -6,6 +6,31 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s min_stack_version = "8.3.0" updated_date = "2023/11/02" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve Listening Ports" +query = "SELECT pid, address, port, socket, protocol, path FROM listening_ports" + +[[transform.osquery]] +label = "Osquery - Retrieve Open Sockets" +query = "SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets" + +[[transform.osquery]] +label = "Osquery - Retrieve Information for a Specific User" +query = "SELECT * FROM users WHERE username = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Investigate the Account Authentication Status" +query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Retrieve Running Processes by User" +query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + +[[transform.osquery]] +label = "Osquery - Retrieve Process Info" +query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] description = """ @@ -18,17 +43,74 @@ index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Potential Protocol Tunneling via EarthWorm" +note = """## Triage and analysis + +### Investigating Potential Protocol Tunneling via EarthWorm + +Attackers can leverage `earthworm` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems. + +This rule looks for several command line arguments that are consistent with `earthworm` tunneling behavior. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible investigation steps + +- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior. + - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration. + - $osquery_0 + - $osquery_1 +- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - $osquery_2 +- Investigate whether the user is currently logged in and active. + - $osquery_3 +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - $osquery_4 + - $osquery_5 +- Investigate other alerts associated with the user/host during the past 48 hours. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + +### Related rules + +- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd +- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f +- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e + +### False positive analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator or developer who uses port tunneling for benign purposes, consider adding exceptions for specific user accounts or hosts. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" references = [ "http://rootkiter.com/EarthWorm/", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/", ] risk_score = 47 rule_id = "9f1c4ca3-44b5-481d-ba42-32dc215a2769" -setup = """ - -This rule requires data coming in from one of the following integrations: -- Elastic Defend -- Auditbeat +setup = """This rule requires data coming in either from Elastic Defend, or Auditbeat integration. ### Elastic Defend Integration Setup Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. @@ -66,7 +148,14 @@ For versions <8.2, you need to add a custom ingest pipeline to populate `event.i """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules_building_block/command_and_control_linux_proxychains_activity.toml b/rules_building_block/command_and_control_linux_proxychains_activity.toml index 9397843704b..4102e9dacbb 100644 --- a/rules_building_block/command_and_control_linux_proxychains_activity.toml +++ b/rules_building_block/command_and_control_linux_proxychains_activity.toml @@ -6,6 +6,31 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s min_stack_version = "8.3.0" updated_date = "2023/08/23" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve Listening Ports" +query = "SELECT pid, address, port, socket, protocol, path FROM listening_ports" + +[[transform.osquery]] +label = "Osquery - Retrieve Open Sockets" +query = "SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets" + +[[transform.osquery]] +label = "Osquery - Retrieve Information for a Specific User" +query = "SELECT * FROM users WHERE username = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Investigate the Account Authentication Status" +query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Retrieve Running Processes by User" +query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + +[[transform.osquery]] +label = "Osquery - Retrieve Process Info" +query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] building_block_type = "default" @@ -21,11 +46,81 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "ProxyChains Activity" +note = """## Triage and analysis + +### Investigating ProxyChains Activity + +Attackers can leverage `proxychains` to obfuscate their origin and bypass network defenses by routing their malicious traffic through multiple intermediary servers. + +This rule looks for processes spawned through `proxychains` by analyzing `proxychains` process execution. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible investigation steps + +- Identify any signs of suspicious network activity or anomalies that may indicate network obfuscation. This could include unexpected traffic patterns or unusual network behavior. + - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration. + - $osquery_0 + - $osquery_1 +- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - $osquery_2 +- Investigate whether the user is currently logged in and active. + - $osquery_3 +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - $osquery_4 + - $osquery_5 +- Investigate other alerts associated with the user/host during the past 48 hours. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + +### Related rules + +- Suspicious Utility Launched via ProxyChains - 6ace94ba-f02c-4d55-9f53-87d99b6f9af4 +- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd +- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f +- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e +- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769 + +### False positive analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator or developer who uses this utility for benign purposes, consider adding exceptions for specific user accounts or hosts. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" references = ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"] risk_score = 21 rule_id = "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml b/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml index aa4a1f00287..90053a120f2 100644 --- a/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml +++ b/rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml @@ -6,6 +6,31 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s min_stack_version = "8.3.0" updated_date = "2023/08/23" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve Listening Ports" +query = "SELECT pid, address, port, socket, protocol, path FROM listening_ports" + +[[transform.osquery]] +label = "Osquery - Retrieve Open Sockets" +query = "SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets" + +[[transform.osquery]] +label = "Osquery - Retrieve Information for a Specific User" +query = "SELECT * FROM users WHERE username = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Investigate the Account Authentication Status" +query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Retrieve Running Processes by User" +query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + +[[transform.osquery]] +label = "Osquery - Retrieve Process Info" +query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] building_block_type = "default" @@ -21,11 +46,77 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Linux SSH X11 Forwarding" +note = """## Triage and analysis + +### Investigating Potential Linux SSH X11 Forwarding + +Attackers can leverage SSH X11 forwarding to capture a user's graphical desktop session and potentially execute unauthorized GUI applications remotely. + +This rule looks for the execution of SSH in conjunction with command line arguments that are capable of setting up X11 forwarding. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible investigation steps + +- Identify any signs of suspicious network activity or anomalies that may indicate network forwarding activity. This could include unexpected traffic patterns or unusual network behavior. + - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration. + - $osquery_0 + - $osquery_1 +- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - $osquery_2 +- Investigate whether the user is currently logged in and active. + - $osquery_3 +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - $osquery_4 + - $osquery_5 +- Investigate other alerts associated with the user/host during the past 48 hours. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + +### Related rules + +- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e + +### False positive analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- If this activity is related to a system administrator or developer who uses port tunneling/forwarding for benign purposes, consider adding exceptions for specific user accounts or hosts. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" references = ["https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"] risk_score = 21 rule_id = "29f0cf93-d17c-4b12-b4f3-a433800539fa" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Rule Type: BBR"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Rule Type: BBR" + ] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules_building_block/command_and_control_non_standard_http_port.toml b/rules_building_block/command_and_control_non_standard_http_port.toml index 72414c1af5d..02aa24f06d5 100644 --- a/rules_building_block/command_and_control_non_standard_http_port.toml +++ b/rules_building_block/command_and_control_non_standard_http_port.toml @@ -6,6 +6,31 @@ min_stack_comments = "New fields added: required_fields, related_integrations, s min_stack_version = "8.3.0" updated_date = "2023/07/26" +[transform] +[[transform.osquery]] +label = "Osquery - Retrieve Listening Ports" +query = "SELECT pid, address, port, socket, protocol, path FROM listening_ports" + +[[transform.osquery]] +label = "Osquery - Retrieve Open Sockets" +query = "SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets" + +[[transform.osquery]] +label = "Osquery - Retrieve Information for a Specific User" +query = "SELECT * FROM users WHERE username = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Investigate the Account Authentication Status" +query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + +[[transform.osquery]] +label = "Osquery - Retrieve Running Processes by User" +query = "SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username" + +[[transform.osquery]] +label = "Osquery - Retrieve Process Info" +query = "SELECT name, cmdline, parent, path, uid FROM processes" + [rule] author = ["Elastic"] building_block_type = "default" @@ -21,10 +46,76 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Non-Standard Port HTTP/HTTPS connection" +note = """## Triage and analysis + +### Investigating Potential Non-Standard Port HTTP/HTTPS connection + +Attackers may alter standard protocol ports, like using HTTP on port 8443 instead of 80, to bypass network filtering and complicate network data analysis. + +This rule looks for HTTP/HTTPS processes where the destination port is not any of the default 80/443 HTTP/HTTPS ports. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. +> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run. + +#### Possible investigation steps + +- Identify any signs of suspicious network activity or anomalies that may indicate command and control activity or data exfiltration. This could include unexpected traffic patterns or unusual network behavior. + - Investigate listening ports and open sockets to look for potential suspicious network traffic, reverse shells or data exfiltration. + - $osquery_0 + - $osquery_1 +- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action. + - $osquery_2 +- Investigate whether the user is currently logged in and active. + - $osquery_3 +- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. + - $osquery_4 + - $osquery_5 +- Investigate other alerts associated with the user/host during the past 48 hours. + - If scripts or executables were dropped, retrieve the files and determine if they are malicious: + - Use a private sandboxed malware analysis system to perform analysis. + - Observe and collect information about the following activities: + - Attempts to contact external domains and addresses. + - Check if the domain is newly registered or unexpected. + - Check the reputation of the domain or IP address. + - File access, modification, and creation activities. + +### Related rules + +- Suspicious Network Activity to the Internet by Previously Unknown Executable - 53617418-17b4-4e9c-8a2c-8deb8086ca4b + +### False positive analysis + +- If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. +- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). +""" risk_score = 21 rule_id = "62b68eb2-1e47-4da7-85b6-8f478db5b272" severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Rule Type: BBR", "Data Source: Elastic Defend"] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Rule Type: BBR", + "Data Source: Elastic Defend" + ] timestamp_override = "event.ingested" type = "eql" query = '''