Skip to content

Commit 4c984b0

Browse files
AegrahAegrah
authored
[Rule Tuning] Potential Execution via XZBackdoor (#5318)
1 parent 38d38f2 commit 4c984b0

File tree

1 file changed

+10
-13
lines changed

1 file changed

+10
-13
lines changed

rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml

Lines changed: 10 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
creation_date = "2024/04/01"
33
integration = ["endpoint"]
44
maturity = "production"
5-
updated_date = "2025/02/04"
5+
updated_date = "2025/11/14"
66

77
[rule]
88
author = ["Elastic"]
@@ -35,19 +35,16 @@ tags = [
3535
]
3636
timestamp_override = "event.ingested"
3737
type = "eql"
38-
3938
query = '''
40-
sequence by host.id, user.id with maxspan=1s
41-
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "sshd" and
42-
process.args == "-D" and process.args == "-R"] by process.pid, process.entity_id
43-
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.parent.name == "sshd" and
44-
process.executable != null and not (
45-
process.executable in ("/usr/sbin/sshd", "/usr/sbin/unix_chkpwd", "/usr/bin/google_authorized_keys", "/usr/bin/fipscheck") or
46-
process.args like ("rsync*", "systemctl*", "/usr/sbin/unix_chkpwd", "/usr/bin/google_authorized_keys", "/usr/sbin/aad_certhandler*") or
47-
process.command_line like "sh -c /usr/bin/env -i PATH=*"
48-
)] by process.parent.pid, process.parent.entity_id
49-
[process where host.os.type == "linux" and event.action == "end" and process.name == "sshd" and process.exit_code != 0] by process.pid, process.entity_id
50-
[network where host.os.type == "linux" and event.type == "end" and event.action == "disconnect_received" and process.name == "sshd"] by process.pid, process.entity_id
39+
sequence by host.id with maxspan=1m
40+
[process where host.os.type == "linux" and event.action == "end" and process.name == "sshd" and process.exit_code != 0] by process.entity_id
41+
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
42+
process.parent.name == "sshd" and process.parent.args == "-D" and process.parent.args == "-R" and
43+
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "-c" and
44+
not (
45+
process.args like ("rsync*", "systemctl*", "/usr/sbin/unix_chkpwd", "/usr/bin/google_authorized_keys", "/usr/sbin/aad_certhandler*") or
46+
process.command_line like ("sh -c /usr/bin/env -i PATH=*", "sh -c -- /usr/bin/env -i PATH=*")
47+
)] by process.parent.entity_id
5148
'''
5249
note = """## Triage and analysis
5350

0 commit comments

Comments
 (0)