EggShell Backdoor Execution
Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/12"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = "Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux."
10from = "now-9m"
11index = ["auditbeat-*", "logs-endpoint.events.*"]
12language = "kuery"
13license = "Elastic License v2"
14name = "EggShell Backdoor Execution"
15references = ["https://github.com/neoneggplant/EggShell"]
16risk_score = 73
17rule_id = "41824afb-d68c-4d0e-bfee-474dac1fa56e"
18severity = "high"
19tags = [
20 "Domain: Endpoint",
21 "OS: Linux",
22 "OS: macOS",
23 "Use Case: Threat Detection",
24 "Tactic: Execution",
25 "Data Source: Elastic Defend",
26]
27timestamp_override = "event.ingested"
28type = "query"
29
30query = '''
31event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6*
32'''
33
34
35[[rule.threat]]
36framework = "MITRE ATT&CK"
37[[rule.threat.technique]]
38id = "T1059"
39name = "Command and Scripting Interpreter"
40reference = "https://attack.mitre.org/techniques/T1059/"
41[[rule.threat.technique.subtechnique]]
42id = "T1059.006"
43name = "Python"
44reference = "https://attack.mitre.org/techniques/T1059/006/"
45
46
47
48[rule.threat.tactic]
49id = "TA0002"
50name = "Execution"
51reference = "https://attack.mitre.org/tactics/TA0002/"
References
-
iOS/macOS/Linux Remote Administration Tool. Contribute to lucasjacks0n/EggShell development by creating an account on GitHub.
Read More
Related rules
- Potential JAVA/JNDI Exploitation Attempt
- Apple Script Execution followed by Network Connection
- BPF filter applied using TC
- Bash Shell Profile Modification
- Binary Executed from Shared Memory Directory