Potentially Suspicious Process Started via tmux or screen
This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux to execute commands while attempting to evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/04"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/10/17"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching
11directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux
12to execute commands while attempting to evade detection.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.*", "endgame-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Potentially Suspicious Process Started via tmux or screen"
19risk_score = 21
20rule_id = "e0cc3807-e108-483c-bf66-5a4fbe0d7e89"
21severity = "low"
22tags = [
23 "Domain: Endpoint",
24 "OS: Linux",
25 "Use Case: Threat Detection",
26 "Tactic: Defense Evasion",
27 "Data Source: Elastic Defend",
28 "Data Source: Elastic Endgame",
29]
30timestamp_override = "event.ingested"
31type = "eql"
32query = '''
33process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and
34process.parent.name in ("screen", "tmux") and process.name like (
35 "nmap", "nc", "ncat", "netcat", "socat", "nc.openbsd", "ngrok", "ping", "java", "php*", "perl", "ruby", "lua*",
36 "openssl", "telnet", "wget", "curl", "id"
37)
38'''
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42
43[[rule.threat.technique]]
44id = "T1218"
45name = "System Binary Proxy Execution"
46reference = "https://attack.mitre.org/techniques/T1218/"
47
48[rule.threat.tactic]
49id = "TA0005"
50name = "Defense Evasion"
51reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Potential Hidden Process via Mount Hidepid
- File made Immutable by Chattr
- Attempt to Disable IPTables or Firewall
- Attempt to Disable Syslog Service
- System Log File Deletion