Potential Linux Reverse Connection through Port Knocking
Monitors for a sequence of network activity on atypical ports, prior to receiving a single packet on such a non-standard port, which potentially indicates signal port knocking activity. Port knocking is a covert method of externally opening ports by sending a sequence of packets to previously closed ports, which adversaries may leverage to discreetly gain access without directly alerting traditional monitoring systems.
Elastic rule (View on GitHub)
1[metadata]
2bypass_bbr_timing = true
3creation_date = "2023/10/24"
4deprecation_date = "2024/02/22"
5integration = ["endpoint", "network_traffic"]
6maturity = "deprecated"
7min_stack_comments = "New fields added: required_fields, related_integrations, setup"
8min_stack_version = "8.3.0"
9updated_date = "2024/02/22"
10
11[rule]
12author = ["Elastic"]
13building_block_type = "default"
14description = """
15Monitors for a sequence of network activity on atypical ports, prior to receiving a single packet on such a non-standard
16port, which potentially indicates signal port knocking activity. Port knocking is a covert method of externally opening
17ports by sending a sequence of packets to previously closed ports, which adversaries may leverage to discreetly gain
18access without directly alerting traditional monitoring systems.
19"""
20from = "now-9m"
21index = ["logs-endpoint.events.*", "logs-network_traffic.*"]
22language = "eql"
23license = "Elastic License v2"
24name = "Potential Linux Reverse Connection through Port Knocking"
25references = ["https://github.com/f0rb1dd3n/Reptile"]
26risk_score = 21
27rule_id = "86c3157c-a951-4a4f-989b-2f0d0f1f9518"
28severity = "low"
29tags = [
30 "Domain: Endpoint",
31 "OS: Linux",
32 "Use Case: Threat Detection",
33 "Tactic: Command and Control",
34 "Data Source: Elastic Defend",
35 "Rule Type: BBR",
36]
37type = "eql"
38
39query = '''
40sequence by host.id with maxspan=10s
41 [network where host.os.type == "linux" and event.action in ("connection_accepted", "connection_attempted") and
42 event.type == "start" and process.name : "*" and (
43 process.name : (
44 "python*", "php*", "perl*", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet",
45 "awk", "gawk", "mawk", "nawk", "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh"
46 ) or not process.executable : ("/usr/bin/*", "/bin/*")
47 ) and not (
48 cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1") or destination.port in (
49 20, 21, 22, 23, 25, 53, 67, 68, 69, 80, 110, 123, 137, 138, 139, 143, 161, 162, 179, 443, 445, 465, 514, 515,
50 587,636, 989, 990, 993, 995, 1025, 1026, 1080, 1194, 1433, 1434, 1521, 1701, 1723, 1812, 1813, 2082, 2083, 2086,
51 2087, 2095, 2096, 2121, 2483, 2484, 3306, 3389, 3478, 3497, 3544, 3689, 3784, 3785, 389, 3998, 5060, 5061, 5190,
52 5222, 5223, 5228, 5432, 5500, 554, 5631, 5632, 5800, 5801, 5900, 5901, 8000, 8008, 8080, 8081, 8443, 8888, 9100,
53 9200, 9443, 10000
54 ) or source.port in (
55 20, 21, 22, 23, 25, 53, 67, 68, 69, 80, 110, 123, 137, 138, 139, 143, 161, 162, 179, 443, 445, 465, 514, 515,
56 587, 636, 989, 990, 993, 995, 1025, 1026, 1080, 1194, 1433, 1434, 1521, 1701, 1723, 1812, 1813, 2082, 2083, 2086,
57 2087, 2095, 2096, 2121, 2483, 2484, 3306, 3389, 3478, 3497, 3544, 3689, 3784, 3785, 389, 3998, 5060, 5061, 5190,
58 5222, 5223, 5228, 5432, 5500, 554, 5631, 5632, 5800, 5801, 5900, 5901, 8000, 8008, 8080, 8081, 8443, 8888, 9100,
59 9200, 9443, 10000)
60 )
61 ] by destination.ip
62 [network where event.dataset == "network_traffic.flow" and host.os.type == "linux" and event.action == "network_flow"
63 and event.type == "connection" and source.packets == 1 and flow.final == false and not (
64 cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1") or destination.port in (
65 20, 21, 22, 23, 25, 53, 67, 68, 69, 80, 110, 123, 137, 138, 139, 143, 161, 162, 179, 443, 445, 465, 514, 515,
66 587,636, 989, 990, 993, 995, 1025, 1026, 1080, 1194, 1433, 1434, 1521, 1701, 1723, 1812, 1813, 2082, 2083, 2086,
67 2087, 2095, 2096, 2121, 2483, 2484, 3306, 3389, 3478, 3497, 3544, 3689, 3784, 3785, 389, 3998, 5060, 5061, 5190,
68 5222, 5223, 5228, 5432, 5500, 554, 5631, 5632, 5800, 5801, 5900, 5901, 8000, 8008, 8080, 8081, 8443, 8888, 9100,
69 9200, 9443, 10000
70 ) or source.port in (
71 20, 21, 22, 23, 25, 53, 67, 68, 69, 80, 110, 123, 137, 138, 139, 143, 161, 162, 179, 443, 445, 465, 514, 515,
72 587, 636, 989, 990, 993, 995, 1025, 1026, 1080, 1194, 1433, 1434, 1521, 1701, 1723, 1812, 1813, 2082, 2083, 2086,
73 2087, 2095, 2096, 2121, 2483, 2484, 3306, 3389, 3478, 3497, 3544, 3689, 3784, 3785, 389, 3998, 5060, 5061, 5190,
74 5222, 5223, 5228, 5432, 5500, 554, 5631, 5632, 5800, 5801, 5900, 5901, 8000, 8008, 8080, 8081, 8443, 8888, 9100,
75 9200, 9443, 10000)
76 )
77 ] by source.ip
78'''
79
80
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83[[rule.threat.technique]]
84id = "T1205"
85name = "Traffic Signaling"
86reference = "https://attack.mitre.org/techniques/T1205/"
87[[rule.threat.technique.subtechnique]]
88id = "T1205.001"
89name = "Port Knocking"
90reference = "https://attack.mitre.org/techniques/T1205/001/"
91
92
93[[rule.threat.technique]]
94id = "T1571"
95name = "Non-Standard Port"
96reference = "https://attack.mitre.org/techniques/T1571/"
97
98
99[rule.threat.tactic]
100id = "TA0011"
101name = "Command and Control"
102reference = "https://attack.mitre.org/tactics/TA0011/"
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105
106[rule.threat.tactic]
107id = "TA0005"
108name = "Defense Evasion"
109reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
LKM Linux rootkit. Contribute to f0rb1dd3n/Reptile development by creating an account on GitHub.
Read More
Related rules
- Deprecated - Potential DNS Tunneling via Iodine
- Potential Non-Standard Port SSH connection
- UID Elevation from Previously Unknown Executable
- Potential Persistence Through Systemd-udevd
- Potential Suspicious File Edit