Potential Linux Tunneling and/or Port Forwarding
This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/23"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/08/23"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can
13leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels,
14and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potential Linux Tunneling and/or Port Forwarding"
21references = [
22 "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform",
23 "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"
24 ]
25risk_score = 47
26rule_id = "6ee947e9-de7e-4281-a55d-09289bdf947e"
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"]
29timestamp_override = "event.ingested"
30type = "eql"
31query = '''
32process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and ((
33// gost & pivotnacci - spawned without process.parent.name
34(process.name == "gost" and process.args : ("-L*", "-C*", "-R*")) or (process.name == "pivotnacci")) or (
35// ssh
36(process.name in ("ssh", "sshd") and (process.args in ("-R", "-L", "D", "-w") and process.args_count >= 4)) or
37// sshuttle
38(process.name == "sshuttle" and process.args in ("-r", "--remote", "-l", "--listen") and process.args_count >= 4) or
39// socat
40(process.name == "socat" and process.args : ("TCP4-LISTEN:*", "SOCKS*") and process.args_count >= 3) or
41// chisel
42(process.name : "chisel*" and process.args in ("client", "server")) or
43// iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok
44(process.name in ("iodine", "iodined", "dnscat", "hans", "hans-ubuntu", "ptunnel-ng", "ssf", "3proxy", "ngrok"))
45) and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish"))
46'''
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50
51[[rule.threat.technique]]
52id = "T1572"
53name = "Protocol Tunneling"
54reference = "https://attack.mitre.org/techniques/T1572/"
55
56[rule.threat.tactic]
57id = "TA0011"
58name = "Command and Control"
59reference = "https://attack.mitre.org/tactics/TA0011/"
References
-
Living Off the Foreign Land (LOFL) allows attackers to use Windows' built-in powerful tooling (LOFLCABs) to attack remote systems. The first part in this 3-p...
Read More -
OPENSSL,verify=1,cert=client.pem,cafile=server.crt,connect-timeout=5|PROXY:hacker.com:443,connect-timeout=5|TCP:proxy.lan:8080,connect-timeout=5
Read More
Related rules
- Potential Protocol Tunneling via Chisel Client
- Potential Protocol Tunneling via Chisel Server
- Suspicious Utility Launched via ProxyChains
- Suspicious Network Connection Attempt by Root
- Potential Malicious File Downloaded from Google Drive