Suspicious Network Activity to the Internet by Previously Unknown Executable

  1[metadata]
  2creation_date = "2023/06/14"
  3integration = ["endpoint"]
  4maturity = "production"
  5min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
  6min_stack_version = "8.6.0"
  7updated_date = "2023/07/31"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious
 13directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially
 14malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to
 15unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can
 16help identify and mitigate potential security threats, protecting the system and its data from potential compromise.
 17"""
 18from = "now-59m"
 19index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*", "endgame-*"]
 20language = "kuery"
 21license = "Elastic License v2"
 22name = "Suspicious Network Activity to the Internet by Previously Unknown Executable"
 23risk_score = 21
 24rule_id = "53617418-17b4-4e9c-8a2c-8deb8086ca4b"
 25severity = "low"
 26tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
 27timestamp_override = "event.ingested"
 28type = "new_terms"
 29
 30query = '''
 31host.os.type:linux and event.category:network and 
 32event.action:(connection_attempted or ipv4_connection_attempt_event) and 
 33process.executable : ( 
 34    (/etc/crontab or 
 35     /etc/rc.local or 
 36     /boot/* or 
 37     /dev/shm/* or 
 38     /etc/cron.*/* or 
 39     /etc/init.d/* or 
 40     /etc/rc*.d/* or 
 41     /etc/update-motd.d/* or 
 42     /home/*/.* or 
 43     /run/* or 
 44     /srv/* or 
 45     /tmp/* or 
 46     /usr/lib/update-notifier/* or 
 47     /var/tmp/*) and 
 48     not (/usr/bin/apt or 
 49          /usr/bin/curl or 
 50          /usr/bin/dnf or 
 51          /usr/bin/dockerd or 
 52          /usr/bin/dpkg or 
 53          /usr/bin/rpm or 
 54          /usr/bin/wget or 
 55          /usr/bin/yum) 
 56    ) 
 57and source.ip : ( 
 58    10.0.0.0/8 or 
 59    127.0.0.0/8 or 
 60    172.16.0.0/12 or 
 61    192.168.0.0/16) and 
 62    not destination.ip : ( 
 63        10.0.0.0/8 or 
 64        100.64.0.0/10 or 
 65        127.0.0.0/8 or 
 66        169.254.0.0/16 or 
 67        172.16.0.0/12 or 
 68        192.0.0.0/24 or 
 69        192.0.0.0/29 or 
 70        192.0.0.10/32 or 
 71        192.0.0.170/32 or 
 72        192.0.0.171/32 or 
 73        192.0.0.8/32 or 
 74        192.0.0.9/32 or 
 75        192.0.2.0/24 or 
 76        192.168.0.0/16 or 
 77        192.175.48.0/24 or 
 78        192.31.196.0/24 or 
 79        192.52.193.0/24 or 
 80        192.88.99.0/24 or 
 81        198.18.0.0/15 or 
 82        198.51.100.0/24 or 
 83        203.0.113.0/24 or 
 84        224.0.0.0/4 or 
 85        240.0.0.0/4 or 
 86        "::1" or 
 87        "FE80::/10" or 
 88        "FF00::/8")
 89'''
 90
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93
 94[[rule.threat.technique]]
 95id = "T1071"
 96name = "Application Layer Protocol"
 97reference = "https://attack.mitre.org/techniques/T1071/"
 98
 99[rule.threat.tactic]
100id = "TA0011"
101name = "Command and Control"
102reference = "https://attack.mitre.org/tactics/TA0011/"
103
104[rule.new_terms]
105field = "new_terms_fields"
106value = ["destination.ip", "process.executable"]
107
108[[rule.new_terms.history_window_start]]
109field = "history_window_start"
110value = "now-7d"