Skip to content

Commit c09386c

Browse files
AegrahAegrah
committed
[Rule Tuning] Suspicious Network Connection via systemd
1 parent 793ecfe commit c09386c

File tree

1 file changed

+26
-3
lines changed

1 file changed

+26
-3
lines changed

rules/linux/persistence_systemd_netcon.toml

Lines changed: 26 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
creation_date = "2024/02/01"
33
integration = ["endpoint"]
44
maturity = "production"
5-
updated_date = "2025/02/04"
5+
updated_date = "2025/12/09"
66

77
[rule]
88
author = ["Elastic"]
@@ -61,8 +61,31 @@ type = "eql"
6161
query = '''
6262
sequence by host.id with maxspan=5s
6363
[process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
64-
process.parent.name == "systemd" and process.name in (
65-
"python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk"
64+
process.parent.name == "systemd" and (
65+
process.name in (
66+
"openssl", "nc", "ncat", "netcat", "nc.openbsd", "nc.traditional", "socat", "busybox", "mkfifo",
67+
"nohup", "setsid", "xterm", "telnet", "awk"
68+
) or
69+
(process.name : "python*" and process.args : "-c" and process.args : (
70+
"*import*pty*spawn*", "*import*subprocess*call*"
71+
)) or
72+
(process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : (
73+
"*exec*", "*system*"
74+
)) or
75+
(process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : (
76+
"*TCPSocket.new*", "*TCPSocket.open*"
77+
)) or
78+
(process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : (
79+
"*io.popen*", "*os.execute*"
80+
)) or
81+
(process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or
82+
(process.name == "node" and process.args == "-e" and process.args : "*spawn*sh*" and process.args : "*connect*") or
83+
(process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or
84+
(process.name in ("rvim", "vim", "vimdiff", "rview", "view") and process.args == "-c" and process.args : "*socket*")
85+
) and
86+
not (
87+
process.args in ("/usr/bin/pg_ctlcluster", "/usr/bin/pveproxy", "/usr/sbin/pveum", "/usr/bin/pveupdate") or
88+
process.executable like ("/usr/local/cpanel/*/bin/perl", "/opt/puppetlabs/puppet/bin/ruby")
6689
)
6790
] by process.entity_id
6891
[network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and

0 commit comments

Comments
 (0)