Potential Protocol Tunneling via Chisel Server

This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/08/23"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/08/23"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection
13within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels,
14enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish
15covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that
16allow unauthorized access to internal systems.
17"""
18from = "now-9m"
19index = ["logs-endpoint.events.*"]
20language = "eql"
21license = "Elastic License v2"
22name = "Potential Protocol Tunneling via Chisel Server"
23references = [
24    "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform",
25    "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"
26    ]
27risk_score = 47
28rule_id = "ac8805f6-1e08-406c-962e-3937057fa86f"
29severity = "medium"
30tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"]
31type = "eql"
32query = '''
33sequence by host.id, process.entity_id with maxspan=1m
34  [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
35   process.args == "server" and process.args in ("--port", "-p", "--reverse", "--backend", "--socks5") and 
36   process.args_count >= 3 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")]
37  [network where host.os.type == "linux" and event.action == "connection_accepted" and event.type == "start" and 
38   destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and 
39   not process.name : (
40     "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet",
41     "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd", "hugo")]
42'''
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46
47[[rule.threat.technique]]
48id = "T1572"
49name = "Protocol Tunneling"
50reference = "https://attack.mitre.org/techniques/T1572/"
51
52[rule.threat.tactic]
53id = "TA0011"
54name = "Command and Control"
55reference = "https://attack.mitre.org/tactics/TA0011/"

References

Related rules

to-top