|
| 1 | +[metadata] |
| 2 | +creation_date = "2024/12/16" |
| 3 | +integration = ["endpoint"] |
| 4 | +maturity = "production" |
| 5 | +updated_date = "2024/12/16" |
| 6 | + |
| 7 | +[rule] |
| 8 | +author = ["Elastic"] |
| 9 | +description = """ |
| 10 | +This rule detects the creation of an unusual SSHD child process through the usage of the `new_terms` rule type. |
| 11 | +Attackers may abuse SSH to maintain persistence on a compromised system, or to establish a backdoor for remote access, |
| 12 | +potentially resulting in an unusual SSHD child process being created. |
| 13 | +""" |
| 14 | +from = "now-9m" |
| 15 | +index = ["logs-endpoint.events.process*"] |
| 16 | +language = "kql" |
| 17 | +license = "Elastic License v2" |
| 18 | +name = "Unusual SSHD Child Process" |
| 19 | +references = ["https://hadess.io/the-art-of-linux-persistence/"] |
| 20 | +risk_score = 47 |
| 21 | +rule_id = "4c3c6c47-e38f-4944-be27-5c80be973bd7" |
| 22 | +severity = "medium" |
| 23 | +tags = [ |
| 24 | + "Domain: Endpoint", |
| 25 | + "OS: Linux", |
| 26 | + "Use Case: Threat Detection", |
| 27 | + "Tactic: Persistence", |
| 28 | + "Data Source: Elastic Defend" |
| 29 | +] |
| 30 | +timestamp_override = "event.ingested" |
| 31 | +type = "new_terms" |
| 32 | +query = ''' |
| 33 | +event.category:process and host.os.type:linux and event.type:start and event.action:exec and |
| 34 | +process.parent.name:(ssh or sshd) and process.args_count:2 and |
| 35 | +not process.command_line:(-bash or -zsh or -sh) |
| 36 | +''' |
| 37 | + |
| 38 | +[[rule.threat]] |
| 39 | +framework = "MITRE ATT&CK" |
| 40 | + |
| 41 | +[[rule.threat.technique]] |
| 42 | +id = "T1546" |
| 43 | +name = "Event Triggered Execution" |
| 44 | +reference = "https://attack.mitre.org/techniques/T1546/" |
| 45 | + |
| 46 | +[[rule.threat.technique.subtechnique]] |
| 47 | +id = "T1546.004" |
| 48 | +name = "Unix Shell Configuration Modification" |
| 49 | +reference = "https://attack.mitre.org/techniques/T1546/004/" |
| 50 | + |
| 51 | +[rule.threat.tactic] |
| 52 | +id = "TA0003" |
| 53 | +name = "Persistence" |
| 54 | +reference = "https://attack.mitre.org/tactics/TA0003/" |
| 55 | + |
| 56 | +[[rule.threat]] |
| 57 | +framework = "MITRE ATT&CK" |
| 58 | + |
| 59 | +[[rule.threat.technique]] |
| 60 | +id = "T1021" |
| 61 | +name = "Remote Services" |
| 62 | +reference = "https://attack.mitre.org/techniques/T1021/" |
| 63 | + |
| 64 | +[[rule.threat.technique.subtechnique]] |
| 65 | +id = "T1021.004" |
| 66 | +name = "SSH" |
| 67 | +reference = "https://attack.mitre.org/techniques/T1021/004/" |
| 68 | + |
| 69 | +[[rule.threat.technique]] |
| 70 | +id = "T1563" |
| 71 | +name = "Remote Service Session Hijacking" |
| 72 | +reference = "https://attack.mitre.org/techniques/T1563/" |
| 73 | + |
| 74 | +[[rule.threat.technique.subtechnique]] |
| 75 | +id = "T1563.001" |
| 76 | +name = "SSH Hijacking" |
| 77 | +reference = "https://attack.mitre.org/techniques/T1563/001/" |
| 78 | + |
| 79 | +[rule.threat.tactic] |
| 80 | +id = "TA0008" |
| 81 | +name = "Lateral Movement" |
| 82 | +reference = "https://attack.mitre.org/tactics/TA0008/" |
| 83 | + |
| 84 | +[[rule.threat]] |
| 85 | +framework = "MITRE ATT&CK" |
| 86 | + |
| 87 | +[rule.threat.tactic] |
| 88 | +id = "TA0011" |
| 89 | +name = "Command and Control" |
| 90 | +reference = "https://attack.mitre.org/tactics/TA0011/" |
| 91 | + |
| 92 | +[rule.new_terms] |
| 93 | +field = "new_terms_fields" |
| 94 | +value = ["process.executable"] |
| 95 | + |
| 96 | +[[rule.new_terms.history_window_start]] |
| 97 | +field = "history_window_start" |
| 98 | +value = "now-14d" |
0 commit comments