Skip to content

Commit 37fbac5

Browse files
terrancedejesusterrancedejesus
committed
updating query logic to use coalesce
1 parent 8d539fc commit 37fbac5

File tree

1 file changed

+25
-30
lines changed

1 file changed

+25
-30
lines changed

rules/cross-platform/execution_aws_ec2_lolbin_via_ssm.toml

Lines changed: 25 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -74,9 +74,9 @@ references = [
7474
"https://hackingthe.cloud/aws/post_exploitation/run_shell_commands_on_ec2/",
7575
"https://gtfobins.github.io/",
7676
]
77-
risk_score = 73
77+
risk_score = 47
7878
rule_id = "a8b3e2f0-8c7d-11ef-b4c6-f661ea17fbcd"
79-
severity = "high"
79+
severity = "medium"
8080
tags = [
8181
"Domain: Cloud",
8282
"Domain: Endpoint",
@@ -109,24 +109,23 @@ FROM logs-aws.cloudtrail*, logs-endpoint.* METADATA _id, _version, _index
109109
AND host.os.type == "linux"
110110
AND (
111111
// SSM shell (_script.sh) runner
112-
process.command_line LIKE "*/document/orchestration/%/awsrunShellScript/*/_script.sh"
112+
process.command_line LIKE "%/document/orchestration/%/awsrunShellScript/%/_script.sh"
113113
// LOLBins / GTFOBins
114-
OR process.executable IN (
115-
"/usr/bin/base64",
116-
"/usr/bin/curl",
117-
"/usr/bin/wget",
118-
"/usr/bin/openssl",
119-
"/usr/bin/nc", "/bin/nc",
120-
"/usr/bin/ncat", "/usr/bin/netcat",
121-
"/usr/bin/socat",
122-
"/usr/bin/python", "/usr/bin/python3",
123-
"/usr/bin/perl",
124-
"/usr/bin/php",
125-
"/usr/bin/ruby",
126-
"/usr/bin/ssh",
127-
"/usr/bin/scp",
128-
"/usr/bin/sftp",
129-
"/usr/bin/rsync"
114+
OR process.name IN (
115+
"base64",
116+
"curl",
117+
"wget",
118+
"openssl",
119+
"nc", "ncat", "netcat",
120+
"socat",
121+
"python", "python3",
122+
"perl",
123+
"php",
124+
"ruby",
125+
"ssh",
126+
"scp",
127+
"sftp",
128+
"rsync"
130129
)
131130
)
132131
)
@@ -139,15 +138,11 @@ FROM logs-aws.cloudtrail*, logs-endpoint.* METADATA _id, _version, _index
139138
| DISSECT aws.cloudtrail.response_elements
140139
"%{}commandId=%{Esql.aws_cloudtrail_response_elements_ssm_command_id},%{}"
141140
142-
// Normalize into a single SSM command id
143-
| EVAL Esql.aws_ssm_command_id =
144-
CASE(
145-
event.dataset == "aws.cloudtrail", Esql.aws_cloudtrail_response_elements_ssm_command_id,
146-
CASE(
147-
event.dataset == "endpoint.events.process", Esql.process_parent_command_line_ssm_command_id,
148-
null
149-
)
150-
)
141+
// Coalesce SSM command ID from both data sources
142+
| EVAL Esql.aws_ssm_command_id = COALESCE(
143+
Esql.aws_cloudtrail_response_elements_ssm_command_id,
144+
Esql.process_parent_command_line_ssm_command_id
145+
)
151146
| WHERE Esql.aws_ssm_command_id IS NOT NULL
152147
153148
// Role flags
@@ -157,7 +152,7 @@ FROM logs-aws.cloudtrail*, logs-endpoint.* METADATA _id, _version, _index
157152
// Identify the SSM shell processes (the _script.sh runners)
158153
| EVAL Esql.is_ssm_shell_process =
159154
Esql.is_endpoint_event
160-
AND process.command_line LIKE "*/document/orchestration/*/awsrunShellScript/*/_script.sh"
155+
AND process.command_line LIKE "%/document/orchestration/%/awsrunShellScript/%/_script.sh"
161156
162157
// LOLBins / GTFOBins on Linux
163158
| EVAL Esql.is_lolbin_process =
@@ -219,7 +214,7 @@ FROM logs-aws.cloudtrail*, logs-endpoint.* METADATA _id, _version, _index
219214
Esql.aws_cloudtrail_first_event_ts
220215
) <= 5
221216
| SORT Esql.aws_cloudtrail_first_event_ts ASC
222-
| KEEP Esql.*, Esql_priv.*, @timestamp
217+
| KEEP Esql.*, Esql_priv.*
223218
'''
224219

225220

0 commit comments

Comments
 (0)