Potential Protocol Tunneling via Chisel Client
This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/23"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/08/23"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt.
13Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure
14communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass
15network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal
16systems.
17"""
18from = "now-9m"
19index = ["logs-endpoint.events.*"]
20language = "eql"
21license = "Elastic License v2"
22name = "Potential Protocol Tunneling via Chisel Client"
23references = [
24 "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform",
25 "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"
26 ]
27risk_score = 47
28rule_id = "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd"
29severity = "medium"
30tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"]
31type = "eql"
32query = '''
33sequence by host.id, process.entity_id with maxspan=1s
34 [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and
35 process.args == "client" and process.args : ("R*", "*:*", "*socks*", "*.*") and process.args_count >= 4 and
36 process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")]
37 [network where host.os.type == "linux" and event.action == "connection_attempted" and event.type == "start" and
38 destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and
39 not process.name : (
40 "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet",
41 "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd")]
42'''
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46
47[[rule.threat.technique]]
48id = "T1572"
49name = "Protocol Tunneling"
50reference = "https://attack.mitre.org/techniques/T1572/"
51
52[rule.threat.tactic]
53id = "TA0011"
54name = "Command and Control"
55reference = "https://attack.mitre.org/tactics/TA0011/"
References
-
Living Off the Foreign Land (LOFL) allows attackers to use Windows' built-in powerful tooling (LOFLCABs) to attack remote systems. The first part in this 3-p...
Read More -
Related rules
- Potential Linux Tunneling and/or Port Forwarding
- Potential Protocol Tunneling via Chisel Server
- Suspicious Utility Launched via ProxyChains
- Suspicious Network Connection Attempt by Root
- Potential Malicious File Downloaded from Google Drive