IPv4/IPv6 Forwarding Activity

 1[metadata]
 2creation_date = "2024/11/04"
 3integration = ["endpoint", "sentinel_one_cloud_funnel"]
 4maturity = "production"
 5updated_date = "2025/03/20"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule monitors for the execution of commands that enable IPv4 and IPv6 forwarding on Linux systems. Enabling IP
11forwarding can be used to route network traffic between different network interfaces, potentially allowing attackers to
12pivot between networks, exfiltrate data, or establish command and control channels.
13"""
14from = "now-9m"
15index = ["endgame-*", "logs-endpoint.events.process*", "logs-sentinel_one_cloud_funnel.*"]
16language = "eql"
17license = "Elastic License v2"
18name = "IPv4/IPv6 Forwarding Activity"
19note = """## Triage and analysis
20
21> **Disclaimer**:
22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
23
24### Investigating IPv4/IPv6 Forwarding Activity
25
26IPv4/IPv6 forwarding allows a Linux system to route traffic between network interfaces, facilitating network communication. While essential for legitimate network operations, adversaries can exploit this capability to pivot across networks, exfiltrate data, or maintain control channels. The detection rule identifies suspicious command executions that enable IP forwarding, focusing on specific command patterns and processes, thus highlighting potential misuse.
27
28### Possible investigation steps
29
30- Review the process command line details to understand the context in which IP forwarding was enabled, focusing on the specific command patterns identified in the alert.
31- Identify the parent process of the suspicious command execution using the process.parent.executable field to determine if it was initiated by a legitimate or potentially malicious process.
32- Check the user account associated with the process execution to assess if the action was performed by an authorized user or if there are signs of compromised credentials.
33- Investigate recent network activity on the host to identify any unusual traffic patterns or connections that could indicate data exfiltration or lateral movement.
34- Correlate the alert with other security events or logs from the same host or network segment to identify any related suspicious activities or patterns.
35- Assess the system's current configuration and network topology to determine if enabling IP forwarding could have been part of a legitimate administrative task or if it poses a security risk.
36
37### False positive analysis
38
39- Routine administrative tasks may trigger the rule when system administrators enable IP forwarding for legitimate network configuration purposes. To manage this, create exceptions for known administrative scripts or processes that regularly perform these actions.
40- Automated scripts or configuration management tools like Ansible or Puppet might execute commands that match the rule's criteria. Identify these tools and exclude their processes from the rule to prevent false alerts.
41- Network testing or troubleshooting activities often require temporary enabling of IP forwarding. Document and exclude these activities when performed by trusted users or during scheduled maintenance windows.
42- Virtualization or container orchestration platforms may enable IP forwarding as part of their normal operations. Recognize these platforms and adjust the rule to ignore their specific processes or command patterns.
43- Security tools or network monitoring solutions might also enable IP forwarding for analysis purposes. Verify these tools and exclude their processes to avoid unnecessary alerts.
44
45### Response and remediation
46
47- Immediately isolate the affected Linux system from the network to prevent further unauthorized access or data exfiltration.
48- Terminate any suspicious processes identified by the detection rule, particularly those enabling IP forwarding, to halt potential lateral movement or data exfiltration.
49- Conduct a thorough review of network traffic logs to identify any unusual or unauthorized connections that may indicate command and control activity.
50- Revert any unauthorized changes to system configurations, specifically those related to IP forwarding settings, to restore the system to its secure state.
51- Escalate the incident to the security operations team for further investigation and to determine if additional systems are compromised.
52- Implement network segmentation to limit the ability of attackers to pivot between networks in the future.
53- Enhance monitoring and alerting for similar suspicious activities by tuning detection systems to recognize patterns associated with IP forwarding misuse."""
54risk_score = 21
55rule_id = "5a138e2e-aec3-4240-9843-56825d0bc569"
56severity = "low"
57tags = [
58    "Domain: Endpoint",
59    "OS: Linux",
60    "Use Case: Threat Detection",
61    "Tactic: Command and Control",
62    "Data Source: Elastic Defend",
63    "Data Source: SentinelOne",
64    "Data Source: Elastic Endgame",
65    "Resources: Investigation Guide",
66]
67timestamp_override = "event.ingested"
68type = "eql"
69
70query = '''
71process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "start", "exec_event") and
72process.parent.executable != null and process.command_line like (
73  "*net.ipv4.ip_forward*", "*/proc/sys/net/ipv4/ip_forward*", "*net.ipv6.conf.all.forwarding*",
74  "*/proc/sys/net/ipv6/conf/all/forwarding*"
75) and (
76  (process.name == "sysctl" and process.args like ("*-w*", "*--write*", "*=*")) or
77  (
78    process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "-c" and
79    process.command_line like "*echo *"
80  )
81) and
82not process.parent.name like~ ("privsep-helper", "platform-python*", "init.ipv6-global", "wsl-bootstrap")
83'''
84
85
86[[rule.threat]]
87framework = "MITRE ATT&CK"
88[[rule.threat.technique]]
89id = "T1572"
90name = "Protocol Tunneling"
91reference = "https://attack.mitre.org/techniques/T1572/"
92
93
94[rule.threat.tactic]
95id = "TA0011"
96name = "Command and Control"
97reference = "https://attack.mitre.org/tactics/TA0011/"