EggShell Backdoor Execution

calendar Sep 5, 2023 · Domain: Endpoint OS: Linux OS: macOS Use Case: Threat Detection Tactic: Execution Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/01/12"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = "Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux."
12from = "now-9m"
13index = ["auditbeat-*", "logs-endpoint.events.*"]
14language = "kuery"
15license = "Elastic License v2"
16name = "EggShell Backdoor Execution"
17references = ["https://github.com/neoneggplant/EggShell"]
18risk_score = 73
19rule_id = "41824afb-d68c-4d0e-bfee-474dac1fa56e"
20severity = "high"
21tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
22timestamp_override = "event.ingested"
23type = "query"
24
25query = '''
26event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6*
27'''
28
29
30[[rule.threat]]
31framework = "MITRE ATT&CK"
32[[rule.threat.technique]]
33id = "T1059"
34name = "Command and Scripting Interpreter"
35reference = "https://attack.mitre.org/techniques/T1059/"
36[[rule.threat.technique.subtechnique]]
37id = "T1059.006"
38name = "Python"
39reference = "https://attack.mitre.org/techniques/T1059/006/"
40
41
42
43[rule.threat.tactic]
44id = "TA0002"
45name = "Execution"
46reference = "https://attack.mitre.org/tactics/TA0002/"

References

Related rules

to-top