IPv4/IPv6 Forwarding Activity

 1[metadata]
 2creation_date = "2024/11/04"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/11/04"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule monitors for the execution of commands that enable IPv4 and IPv6 forwarding on Linux systems. Enabling IP
11forwarding can be used to route network traffic between different network interfaces, potentially allowing attackers to
12pivot between networks, exfiltrate data, or establish command and control channels.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.*"]
16language = "eql"
17license = "Elastic License v2"
18name = "IPv4/IPv6 Forwarding Activity"
19risk_score = 21
20rule_id = "5a138e2e-aec3-4240-9843-56825d0bc569"
21severity = "low"
22tags = [
23    "Domain: Endpoint",
24    "OS: Linux",
25    "Use Case: Threat Detection",
26    "Tactic: Command and Control",
27    "Data Source: Elastic Defend",
28]
29timestamp_override = "event.ingested"
30type = "eql"
31query = '''
32process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
33process.parent.executable != null and process.command_line like (
34  "*net.ipv4.ip_forward*", "*/proc/sys/net/ipv4/ip_forward*", "*net.ipv6.conf.all.forwarding*",
35  "*/proc/sys/net/ipv6/conf/all/forwarding*"
36) and (
37  (process.name == "sysctl" and process.args like ("*-w*", "*--write*", "*=*")) or
38  (
39    process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "-c" and
40    process.command_line like "*echo *"
41  )
42)
43'''
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47
48[[rule.threat.technique]]
49id = "T1572"
50name = "Protocol Tunneling"
51reference = "https://attack.mitre.org/techniques/T1572/"
52
53[rule.threat.tactic]
54id = "TA0011"
55name = "Command and Control"
56reference = "https://attack.mitre.org/tactics/TA0011/"