Potentially Suspicious Process Started via tmux or screen

 1[metadata]
 2creation_date = "2023/09/04"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/03/08"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching 
13directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux 
14to execute commands while attempting to evade detection.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Potentially Suspicious Process Started via tmux or screen"
21risk_score = 21
22rule_id = "e0cc3807-e108-483c-bf66-5a4fbe0d7e89"
23severity = "low"
24tags = [
25        "Domain: Endpoint",
26        "OS: Linux",
27        "Use Case: Threat Detection",
28        "Tactic: Defense Evasion",
29        "Data Source: Elastic Defend",
30        "Data Source: Elastic Endgame"
31        ]
32timestamp_override = "event.ingested"
33type = "eql"
34query = '''
35process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event") and 
36process.parent.name in ("screen", "tmux") and process.name : (
37  "nmap", "nc", "ncat", "netcat", "socat", "nc.openbsd", "ngrok", "ping", "java", "python*", "php*", "perl", "ruby",
38  "lua*", "openssl", "telnet", "awk", "wget", "curl", "id"
39  )
40'''
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44
45[[rule.threat.technique]]
46id = "T1218"
47name = "System Binary Proxy Execution"
48reference = "https://attack.mitre.org/techniques/T1218/"
49
50[rule.threat.tactic]
51id = "TA0005"
52name = "Defense Evasion"
53reference = "https://attack.mitre.org/tactics/TA0005/"