PPTP (Point to Point Tunneling Protocol) Activity

 1[metadata]
 2creation_date = "2020/02/18"
 3deprecation_date = "2021/04/15"
 4maturity = "deprecated"
 5updated_date = "2021/04/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects events that may indicate use of a PPTP VPN connection. Some threat actors use these types of
11connections to tunnel their traffic while avoiding detection.
12"""
13false_positives = [
14    """
15    Some networks may utilize PPTP protocols but this is uncommon as more modern VPN technologies are available. Usage
16    that is unfamiliar to local network administrators can be unexpected and suspicious. Torrenting applications may use
17    this port. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when
18    an application server replies to a client that used this port by coincidence. This is uncommon but such servers can
19    be excluded.
20    """,
21]
22from = "now-9m"
23index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "PPTP (Point to Point Tunneling Protocol) Activity"
27risk_score = 21
28rule_id = "d2053495-8fe7-4168-b3df-dad844046be3"
29severity = "low"
30tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
31timestamp_override = "event.ingested"
32type = "query"
33
34query = '''
35event.category:(network or network_traffic) and network.transport:tcp and destination.port:1723
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41
42[rule.threat.tactic]
43id = "TA0011"
44name = "Command and Control"
45reference = "https://attack.mitre.org/tactics/TA0011/"