Suspicious Network Connection Attempt by Root

 1[metadata]
 2creation_date = "2022/05/16"
 3deprecation_date = "2023/07/31"
 4integration = ["endpoint"]
 5maturity = "deprecated"
 6min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 7min_stack_version = "8.3.0"
 8updated_date = "2023/07/31"
 9
10[rule]
11author = ["Elastic"]
12description = """
13Identifies an outbound network connection attempt followed by a session id change as the root user by the same process
14entity. This particular instantiation of a network connection is abnormal and should be investigated as it may indicate
15a potential reverse shell activity via a privileged process.
16"""
17false_positives = [
18    """
19    False-Positives (FP) can appear if another remote terminal service is being used to connect to it's listener but
20    typically SSH is used in these scenarios.
21    """,
22]
23from = "now-9m"
24index = ["logs-endpoint.events.*"]
25language = "eql"
26license = "Elastic License v2"
27name = "Suspicious Network Connection Attempt by Root"
28note = """## Triage and analysis
29### Investigating Connection Attempt by Non-SSH Root Session
30Detection alerts from this rule indicate a strange or abnormal outbound connection attempt by a privileged process.  Here are some possible avenues of investigation:
31- Examine unusual and active sessions using commands such as 'last -a', 'netstat -a', and 'w -a'.
32- Analyze processes and command line arguments to detect anomalous process execution that may be acting as a listener.
33- Analyze anomalies in the use of files that do not normally initiate connections.
34- Examine processes utilizing the network that do not normally have network communication.
35"""
36references = [
37    "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/",
38    "https://twitter.com/GossiTheDog/status/1522964028284411907",
39    "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf",
40]
41risk_score = 47
42rule_id = "eb6a3790-d52d-11ec-8ce9-f661ea17fbce"
43severity = "medium"
44tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control"]
45type = "eql"
46
47query = '''
48sequence by process.entity_id with maxspan=1m
49[network where host.os.type == "linux" and event.type == "start" and event.action == "connection_attempted" and user.id == "0" and
50    not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd","/usr/bin/ssh","/usr/bin/sshpass")]
51[process where host.os.type == "linux" and event.action == "session_id_change" and user.id == "0" and
52    not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd","/usr/bin/ssh","/usr/bin/sshpass")]
53'''
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1095"
60name = "Non-Application Layer Protocol"
61reference = "https://attack.mitre.org/techniques/T1095/"
62
63
64[rule.threat.tactic]
65id = "TA0011"
66name = "Command and Control"
67reference = "https://attack.mitre.org/tactics/TA0011/"
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1548"
72name = "Abuse Elevation Control Mechanism"
73reference = "https://attack.mitre.org/techniques/T1548/"
74[[rule.threat.technique.subtechnique]]
75id = "T1548.003"
76name = "Sudo and Sudo Caching"
77reference = "https://attack.mitre.org/techniques/T1548/003/"
78
79
80
81[rule.threat.tactic]
82id = "TA0004"
83name = "Privilege Escalation"
84reference = "https://attack.mitre.org/tactics/TA0004/"